Bug 1846270 (CVE-2020-10770) - CVE-2020-10770 keycloak: Default Client configuration is vulnerable to SSRF using "request_uri" parameter
Summary: CVE-2020-10770 keycloak: Default Client configuration is vulnerable to SSRF u...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10770
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1836188
TreeView+ depends on / blocked
 
Reported: 2020-06-11 09:09 UTC by Paramvir jindal
Modified: 2023-09-25 07:07 UTC (History)
37 users (show)

See Also:
Fixed In Version: keycloak 13.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Clone Of:
Environment:
Last Closed: 2021-02-01 14:41:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0318 0 None None None 2021-02-01 13:45:05 UTC
Red Hat Product Errata RHSA-2021:0319 0 None None None 2021-02-01 13:46:25 UTC
Red Hat Product Errata RHSA-2021:0320 0 None None None 2021-02-01 13:45:53 UTC
Red Hat Product Errata RHSA-2021:0327 0 None None None 2021-02-01 18:56:30 UTC

Description Paramvir jindal 2020-06-11 09:09:29 UTC 
The "request_uri" is an optional parameter in the OIDC Authentication Request that allows to specify an external URI where the Request object may be found. As the Identity Provider is supposed to request the external Request object, this parameter can be easily used to launch a SSRF attack against the IdP.

https://issues.redhat.com/browse/KEYCLOAK-14019
Comment 4 Paramvir jindal 2020-06-17 08:16:18 UTC 
Acknowledgments:

Name: Lauritz Holtmann (@_lauritz_ ) (Chair for Network and Data Security at Ruhr University Bochum)
Comment 7 errata-xmlrpc 2021-02-01 13:45:03 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 6

Via RHSA-2021:0318 https://access.redhat.com/errata/RHSA-2021:0318
Comment 8 errata-xmlrpc 2021-02-01 13:45:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 8

Via RHSA-2021:0320 https://access.redhat.com/errata/RHSA-2021:0320
Comment 9 errata-xmlrpc 2021-02-01 13:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 7

Via RHSA-2021:0319 https://access.redhat.com/errata/RHSA-2021:0319
Comment 10 Product Security DevOps Team 2021-02-01 14:41:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10770
Comment 11 errata-xmlrpc 2021-02-01 18:56:27 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.5

Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327
Note You need to log in before you can comment on or make changes to this bug.