Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-1744

Опубликовано: 23 мар. 2020
Источник: redhat
CVSS3: 5.6

Описание

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

A flaw was found in keycloak. BruteForceProtector does not handle Conditional OTP Authentication Flow login failure events due to these events not being sent to the brute force protection event queue. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7keycloakNot affected
Red Hat OpenShift Application RuntimeskeycloakAffected
Red Hat support for Spring BootkeycloakAffected
Red Hat Runtimes Spring Boot 2.2.6keycloakFixedRHSA-2020:225201.06.2020
Red Hat Single Sign-On 7.3FixedRHSA-2020:095123.03.2020
Red Hat Single Sign-On 7.3 for RHEL 6rh-sso7-keycloakFixedRHSA-2020:094523.03.2020
Red Hat Single Sign-On 7.3 for RHEL 7rh-sso7-keycloakFixedRHSA-2020:094623.03.2020
Red Hat Single Sign-On 7.3 for RHEL 8rh-sso7-keycloakFixedRHSA-2020:094723.03.2020
Text-Only RHOARFixedRHSA-2020:290523.07.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-755
https://bugzilla.redhat.com/show_bug.cgi?id=1805792keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP

5.6 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-1744

CVSS3: 5.6
nvd
почти 6 лет назад

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

debian логотип

CVE-2020-1744

CVSS3: 5.6
debian
почти 6 лет назад

A flaw was found in keycloak before version 9.0.1. When configuring an ...

github логотип

GHSA-4gf2-xv97-63m2

CVSS3: 5.6
github
больше 4 лет назад

Exposure of Sensitive Information in keycloak

fstec логотип

BDU:2020-02708

CVSS3: 9.8
fstec
почти 6 лет назад

Уязвимость компонента BruteForceProtector программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

5.6 Medium

CVSS3