Bug 1906797 (CVE-2020-27838)
Summary: | CVE-2020-27838 keycloak: Exploiting the client registration API | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Paramvir jindal <pjindal> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, akoufoud, alazarot, anstephe, avibelli, bgeorges, chazlett, cmoulliard, dkreling, ganandan, gmalinko, ibek, ikanello, janstey, jochrist, jpallich, jwon, kverlaen, lthon, mnovotny, mvk37, pantinor, pdrozd, pgallagh, pjindal, rruss, sdaley, sthorger |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/KEYCLOAK-16612 | ||
Whiteboard: | |||
Fixed In Version: | keycloak 13.0.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in keycloak. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1904057 |
Description
Paramvir jindal
2020-12-11 12:26:34 UTC
Acknowledgments: Name: Adam Devoe (SemaTree Inc.) According to the Jira issue this was fixed in RHSSO 7.5.0 |