Fluid Attacks Database

Description

Exposure of Sensitive Information in keycloak A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-services	>=0 <9.0.1	9.0.2
maven	org.keycloak:keycloak-core	>=0 <9.0.1	9.0.1
npm	keycloak-connect	>=0 <9.0.1	9.0.2

Aliases

1. CVE-2020-17442. NVD-2020-17443. OSV-2020-17444. GCVE-2020-17445. ACCESS-CVE-2020-17446. bugzilla.redhat.com

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.