Bug 1790292 (CVE-2020-1698) - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class
Summary: CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1790293
TreeView+ depends on / blocked
 
Reported: 2020-01-13 03:18 UTC by Pedro Sampaio
Modified: 2021-02-16 20:46 UTC (History)
47 users (show)

Fixed In Version: keycloak 9.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2020-05-06 07:54:35 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2252 0 None None None 2020-06-01 15:32:30 UTC
Red Hat Product Errata RHSA-2020:2905 0 None None None 2020-07-23 07:04:12 UTC

Description Pedro Sampaio 2020-01-13 03:18:39 UTC
A flaw was found in keycloack. A logged exception in the HttpMethod class may leak password given as parameter.

References:

https://issues.redhat.com/browse/KEYCLOAK-12638

Comment 1 Paramvir jindal 2020-01-16 04:46:40 UTC
RHSSO 7.3.5 client adapters seem to be affected as they do ship keycloak-authz-client-4.8.15.Final-redhat-00001.jar

Comment 3 Paramvir jindal 2020-01-16 04:57:32 UTC
Marking RHDM/PAM as not affected as they do not ship this class :

https://github.com/keycloak/keycloak/blob/master/authz/client/src/main/java/org/keycloak/authorization/client/util/HttpMethod.java#L106

Comment 9 Pedro Sampaio 2020-05-05 14:33:59 UTC
Acknowledgments:

Name: Tobias Friedrich

Comment 12 errata-xmlrpc 2020-06-01 15:32:28 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.2.6

Via RHSA-2020:2252 https://access.redhat.com/errata/RHSA-2020:2252

Comment 13 errata-xmlrpc 2020-07-23 07:04:08 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905


Note You need to log in before you can comment on or make changes to this bug.