Bug 1846270 (CVE-2020-10770)

Summary: CVE-2020-10770 keycloak: Default Client configuration is vulnerable to SSRF using "request_uri" parameter
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, chazlett, cmoulliard, dkreling, drieden, etirelli, ggaughan, gmalinko, ibek, ikanello, janstey, jbalunas, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, pdrozd, pgallagh, pjindal, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/KEYCLOAK-14464
Whiteboard:
Fixed In Version: keycloak 13.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-01 14:41:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1836188    

Description Paramvir jindal 2020-06-11 09:09:29 UTC 
The "request_uri" is an optional parameter in the OIDC Authentication Request that allows to specify an external URI where the Request object may be found. As the Identity Provider is supposed to request the external Request object, this parameter can be easily used to launch a SSRF attack against the IdP.

https://issues.redhat.com/browse/KEYCLOAK-14019
Comment 4 Paramvir jindal 2020-06-17 08:16:18 UTC 
Acknowledgments:

Name: Lauritz Holtmann (@_lauritz_ ) (Chair for Network and Data Security at Ruhr University Bochum)
Comment 7 errata-xmlrpc 2021-02-01 13:45:03 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 6

Via RHSA-2021:0318 https://access.redhat.com/errata/RHSA-2021:0318
Comment 8 errata-xmlrpc 2021-02-01 13:45:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 8

Via RHSA-2021:0320 https://access.redhat.com/errata/RHSA-2021:0320
Comment 9 errata-xmlrpc 2021-02-01 13:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 7

Via RHSA-2021:0319 https://access.redhat.com/errata/RHSA-2021:0319
Comment 10 Product Security DevOps Team 2021-02-01 14:41:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10770
Comment 11 errata-xmlrpc 2021-02-01 18:56:27 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.5

Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327