1860138 – (CVE-2020-14341) CVE-2020-14341 RHSSO: test connection function in console permits timing based port scanning

Bug 1860138 (CVE-2020-14341) - CVE-2020-14341 RHSSO: test connection function in console permits timing based port scanning

Summary: CVE-2020-14341 RHSSO: test connection function in console permits timing base...

Keywords:
Status:	NEW
Alias:	CVE-2020-14341
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1856175
TreeView+	depends on / blocked

Reported:	2020-07-23 19:15 UTC by Dave Baker
Modified:	2023-07-07 08:28 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Dave Baker 2020-07-23 19:15:07 UTC

The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation.

By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly.

Comment 5 Dave Baker 2020-07-24 14:15:39 UTC

Acknowledgments:

Name: Jeremy Choi (Red Hat Product Security)

Note You need to log in before you can comment on or make changes to this bug.