Fluid Attacks Database

Description

Keycloak leaks sensitive information in logged exceptions A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-core	>=0 <9.0.0	9.0.0
npm	keycloak-connect	>=0 <9.0.0	9.0.0
maven	org.keycloak:keycloak-authz-client	>=0 <9.0.0	9.0.0

Aliases

1. CVE-2020-16982. NVD-2020-16983. OSV-2020-16984. GCVE-2020-16985. bugzilla.redhat.com

References

1. https://github.com/keycloak/keycloak/pull/67512. https://github.com/keycloak/keycloak/commit/62c9e1577618470832ede22dcedd46cba15b18363. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1698

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.