Keycloak does not perform TLS hostname verification when sending emails via an SMTP server which could result in information disclosure. External Reference: https://issues.redhat.com/browse/KEYCLOAK-13285
Mitigation: Turn off all kinds of email notifications including password reset mails.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2020:2107 https://access.redhat.com/errata/RHSA-2020:2107
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2020:2106 https://access.redhat.com/errata/RHSA-2020:2106
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2020:2108 https://access.redhat.com/errata/RHSA-2020:2108
This issue has been addressed in the following products: Red Hat Single Sign On 7.3.8 Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1758
Acknowledgments: Name: Peter Stöckli