Fluid Attacks Database

Description

Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-parent	>=0 <10.0.0	10.0.0
maven	org.keycloak:keycloak-services	>=0 <10.0.0	10.0.0
maven	org.keycloak:keycloak-core	>=0 <10.0.0	10.0.0

Aliases

1. CVE-2020-17582. NVD-2020-17583. OSV-2020-17584. GCVE-2020-17585. bugzilla.redhat.com

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-17582. https://issues.redhat.com/browse/KEYCLOAK-13285

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.