gsd-2020-1744
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2020-1744",
    "description": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.",
    "id": "GSD-2020-1744",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-1744.html",
      "https://access.redhat.com/errata/RHSA-2020:2905",
      "https://access.redhat.com/errata/RHSA-2020:2252",
      "https://access.redhat.com/errata/RHSA-2020:0951",
      "https://access.redhat.com/errata/RHSA-2020:0947",
      "https://access.redhat.com/errata/RHSA-2020:0946",
      "https://access.redhat.com/errata/RHSA-2020:0945"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-1744"
      ],
      "details": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.",
      "id": "GSD-2020-1744",
      "modified": "2023-12-13T01:21:57.817178Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2020-1744",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "keycloak",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "all keycloak versions prior to 9.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Red Hat"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events."
          }
        ]
      },
      "impact": {
        "cvss": [
          [
            {
              "vectorString": "5.6/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.0"
            }
          ]
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-755"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744"
          },
          {
            "name": "https://access.redhat.com/security/cve/CVE-2020-1744",
            "refsource": "CONFIRM",
            "url": "https://access.redhat.com/security/cve/CVE-2020-1744"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,9.0.1)",
          "affected_versions": "All versions before 9.0.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-755",
            "CWE-937"
          ],
          "date": "2021-09-20",
          "description": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.",
          "fixed_versions": [
            "9.0.1"
          ],
          "identifier": "CVE-2020-1744",
          "identifiers": [
            "GHSA-4gf2-xv97-63m2",
            "CVE-2020-1744"
          ],
          "not_impacted": "All versions starting from 9.0.1",
          "package_slug": "maven/org.keycloak/keycloak-core",
          "pubdate": "2021-09-20",
          "solution": "Upgrade to version 9.0.1 or above.",
          "title": "Improper Handling of Exceptional Conditions",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1744",
            "https://access.redhat.com/security/cve/CVE-2020-1744",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744",
            "https://github.com/advisories/GHSA-4gf2-xv97-63m2"
          ],
          "uuid": "8b12ad8e-744c-45da-ab68-7a33a1a6c69e"
        },
        {
          "affected_range": "(,9.0.1)",
          "affected_versions": "All versions before 9.0.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2021-09-14",
          "description": "When configuring a Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So `BruteForceProtector` does not handle these events.",
          "fixed_versions": [
            "9.0.2"
          ],
          "identifier": "CVE-2020-1744",
          "identifiers": [
            "CVE-2020-1744"
          ],
          "not_impacted": "All versions starting from 9.0.1",
          "package_slug": "maven/org.keycloak/keycloak-services",
          "pubdate": "2020-03-24",
          "solution": "Upgrade to version 9.0.2 or above.",
          "title": "Information Exposure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1744",
            "https://access.redhat.com/security/cve/CVE-2020-1744",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744"
          ],
          "uuid": "6ff5c428-2c72-4256-b5b4-494f8906d7ba"
        },
        {
          "affected_range": "\u003c9.0.1",
          "affected_versions": "All versions before 9.0.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2021-09-14",
          "description": "A flaw was found in keycloak. When configuring a conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So `BruteForceProtector` does not handle these events.",
          "fixed_versions": [
            "9.0.2"
          ],
          "identifier": "CVE-2020-1744",
          "identifiers": [
            "CVE-2020-1744"
          ],
          "not_impacted": "All versions starting from 9.0.1",
          "package_slug": "npm/keycloak-connect",
          "pubdate": "2020-03-24",
          "solution": "Upgrade to version 9.0.2 or above.",
          "title": "Information Exposure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1744",
            "https://access.redhat.com/security/cve/CVE-2020-1744",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744"
          ],
          "uuid": "06238499-11f5-4ddd-ba7c-14990ff10226"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1744"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-755"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://access.redhat.com/security/cve/CVE-2020-1744",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2020-1744"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.4
        }
      },
      "lastModifiedDate": "2022-11-16T03:13Z",
      "publishedDate": "2020-03-24T14:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.