SB2020050503 - Multiple vulnerabilities in Red Hat Keycloak

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2020-10686)

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to improper authorization checks where a malicious user registers as oneself. A remote administrator can use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

2) Information disclosure (CVE-ID: CVE-2020-1744)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists when configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
• https://github.com/keycloak/keycloak/commit/5ddd605ee96b8551c7eb00b609a0b97939925b77
• https://access.redhat.com/security/cve/CVE-2020-1744
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744