CVE-2020-1758

Published: May 15, 2020Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

Affected (2)

Products: Redhat: Keycloak, Openstack

Redhat

2 products

Keycloak

Openstack

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Keycloak	Before 10.0.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openstack	Version 10

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-297

Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://issues.redhat.com/browse/KEYCLOAK-13285

Source: secalert@redhat.com

Permissions RequiredVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://issues.redhat.com/browse/KEYCLOAK-13285

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

Timeline

No history available yet.