Описание
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
A flaw was found in Keycloak, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
Меры по смягчению последствий
Turn off all kinds of email notifications including password reset mails.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat OpenShift Application Runtimes | keycloak | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | keycloak | Out of support scope | ||
| Red Hat support for Spring Boot | keycloak | Not affected | ||
| Red Hat Single Sign On 7.3.8 | Fixed | RHSA-2020:2112 | 12.05.2020 | |
| Red Hat Single Sign-On 7.3 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2020:2106 | 12.05.2020 |
| Red Hat Single Sign-On 7.3 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2020:2107 | 12.05.2020 |
| Red Hat Single Sign-On 7.3 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2020:2108 | 12.05.2020 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
A flaw was found in Keycloak in versions before 10.0.0, where it does ...
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak
5.3 Medium
CVSS3