Main Vulnerability Database SB2020081828

SB2020081828 - Multiple vulnerabilities in Red Hat Single Sign-On 7.4

Published: August 18, 2020 Updated: April 24, 2025

Security Bulletin ID SB2020081828

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Protection Mechanism Failure (CVE-ID: CVE-2020-1728)

The vulnerability allows a remote attacker to bypass expected security restrictions.

The vulnerability exists due to the Admin Console area in Keycloak is completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2020-10758)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2020:3497