#VU30168 Input validation error in Keycloak - CVE-2020-1727

Cybersecurity Help s.r.o.

Published: 2020-06-22 | Updated: 2020-07-17

Vulnerability identifier: #VU30168

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-1727

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Keycloak: 9.0.0 - 9.0.1

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1727

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Single Sign-On 7.4

Input validation error in Keycloak