Fluid Attacks Database

Description

Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-parent	>=0 <10.0.0	10.0.0
npm	keycloak-connect	>=0 <10.0.0	10.0.0

Aliases

1. CVE-2020-16942. NVD-2020-16943. OSV-2020-16944. GCVE-2020-1694

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=1790759

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.