Fedora Account System
Red Hat Associate
Red Hat Customer
Keycloak does not perform TLS hostname verification when sending emails via an SMTP server which could result in information disclosure. External Reference: https://issues.redhat.com/browse/KEYCLOAK-13285
Mitigation: Turn off all kinds of email notifications including password reset mails.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2020:2107 https://access.redhat.com/errata/RHSA-2020:2107
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2020:2106 https://access.redhat.com/errata/RHSA-2020:2106
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2020:2108 https://access.redhat.com/errata/RHSA-2020:2108
This issue has been addressed in the following products: Red Hat Single Sign On 7.3.8 Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1758
Acknowledgments: Name: Peter Stöckli