Bug 1906797 (CVE-2020-27838) - CVE-2020-27838 keycloak: Exploiting the client registration API
Summary: CVE-2020-27838 keycloak: Exploiting the client registration API
Status: NEW
Alias: CVE-2020-27838
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On:
Blocks: 1904057
TreeView+ depends on / blocked
Reported: 2020-12-11 12:26 UTC by Paramvir jindal
Modified: 2024-02-01 19:12 UTC (History)
28 users (show)

See Also:
Fixed In Version: keycloak 13.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Paramvir jindal 2020-12-11 12:26:34 UTC
Client registration endpoints should not allow fetching information about public clients without authentication.

Comment 4 Paramvir jindal 2021-02-19 14:12:00 UTC

Name: Adam Devoe (SemaTree Inc.)

Comment 20 Patrick Del Bello 2024-02-01 19:12:25 UTC
According to the Jira issue this was fixed in RHSSO 7.5.0

Note You need to log in before you can comment on or make changes to this bug.