Protection Mechanism Failure in Keycloak - CVE-2020-1728
Published: April 6, 2020 / Updated: October 9, 2020
Vulnerability identifier: #VU47487
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-1728
CWE-ID: CWE-693
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass expected security restrictions.
The vulnerability exists due to the Admin Console area in Keycloak is completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
How to mitigate CVE-2020-1728
Install updates from vendor's website.