PT-2021-9172 · Red Hat · Keycloak

Guilherme De Almeida Suckevicz

Published

2021-02-11

Updated

2022-04-28

CVE-2020-10734

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions keycloak versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes

Description A vulnerability was found in the way keycloak handles the OIDC logout endpoint, which does not have CSRF protection. The highest threat from this vulnerability is to system availability.

Recommendations For versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes, consider disabling the OIDC logout endpoint as a temporary workaround until a patch is available. Restrict access to the OIDC logout endpoint to minimize the risk of exploitation. Avoid using the OIDC logout endpoint until the issue is resolved.

Fix

DoS

CSRF

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-601

Related Identifiers

CVE-2020-10734

GHSA-RVJG-GXWX-J5GF

Affected Products

Keycloak

PT-2021-9172 · Red Hat · Keycloak

CVE-2020-10734

Weakness Enumeration

Related Identifiers

Affected Products

References · 9