Bug 1906797 (CVE-2020-27838) - CVE-2020-27838 keycloak: Exploiting the client registration API
Summary: CVE-2020-27838 keycloak: Exploiting the client registration API
Keywords:
Status: NEW
Alias: CVE-2020-27838
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1904057
TreeView+ depends on / blocked
 
Reported: 2020-12-11 12:26 UTC by Paramvir jindal
Modified: 2021-03-08 06:56 UTC (History)
40 users (show)

See Also:
Fixed In Version: keycloak 13.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Paramvir jindal 2020-12-11 12:26:34 UTC
Client registration endpoints should not allow fetching information about public clients without authentication.
https://issues.redhat.com/browse/KEYCLOAK-16521

Comment 4 Paramvir jindal 2021-02-19 14:12:00 UTC
Acknowledgments:

Name: Adam Devoe (SemaTree Inc.)


Note You need to log in before you can comment on or make changes to this bug.