CVE-2020-10770

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 13.0.0

Description A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

Recommendations For versions prior to 13.0.0, update to version 13.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the request uri parameter in the OIDC endpoint to minimize the risk of exploitation.