It was found that pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. References: https://issues.redhat.com/browse/KEYCLOAK-12264
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2020:3495 https://access.redhat.com/errata/RHSA-2020:3495
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2020:3496 https://access.redhat.com/errata/RHSA-2020:3496
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2020:3497 https://access.redhat.com/errata/RHSA-2020:3497
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.2 Via RHSA-2020:3501 https://access.redhat.com/errata/RHSA-2020:3501
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1728
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:3539 https://access.redhat.com/errata/RHSA-2020:3539
This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.2.10 Via RHSA-2020:4213 https://access.redhat.com/errata/RHSA-2020:4213
This issue has been addressed in the following products: Red Hat build of Quarkus 1.7.5 Via RHSA-2020:4252 https://access.redhat.com/errata/RHSA-2020:4252