Arch Linux Security Advisory ASA-202105-6
========================================
Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2020-14302 CVE-2020-27838 CVE-2021-3513 CVE-2021-20202
          CVE-2021-20222
Package : keycloak
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1926

Summary
======
The package keycloak before version 13.0.0-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure and
insufficient validation.

Resolution
=========
Upgrade to 13.0.0-1.

# pacman -Syu "keycloak>=13.0.0-1"

The problems have been fixed upstream in version 13.0.0.

Workaround
=========
None.

Description
==========
- CVE-2020-14302 (insufficient validation)

A flaw was found in Keycloak before 13.0.0 where an external identity
provider, after successful authentication, redirects to a Keycloak
endpoint that accepts multiple invocations with the use of the same
"state" parameter. This flaw allows a malicious user to perform replay
attacks.

- CVE-2020-27838 (information disclosure)

A security issue was found in keycloak in versions prior to 13.0.0. The
client registration endpoint allows fetching information about PUBLIC
clients (like client secret) without authentication which could be an
issue if the same PUBLIC client changed to CONFIDENTIAL later.

- CVE-2021-3513 (information disclosure)

A security issue was found in keycloak before version 13.0.0 where
brute force attacks are possible even when the permanent lockout
feature is enabled because of the wrong error message that is displayed
when wrong credentials are entered.

- CVE-2021-20202 (information disclosure)

A security issue was found in keycloak before version 13.0.0.
Directories can be created prior to the Java process creating them in
the temporary directory, but with wider user permissions, allowing the
attacker to have access to the contents that keycloak stores in this
directory.

- CVE-2021-20222 (cross-site scripting)

A security issue was found in keycloak before version 13.0.0. The new
account console in keycloak can allow malicious code to be executed
using the referrer URL.

Impact
=====
A remote attacker could perform replay attacks, obtain information
about CONFIDENTIAL clients, brute force account credentials, or execute
arbitrary code through cross-site scripting. A local attacker could
access sensitive information stored in temporary directories.

References
=========
https://bugzilla.redhat.com/show_bug.cgi?id=1849584
https://issues.redhat.com/plugins/servlet/samlsso
https://github.com/keycloak/keycloak/pull/7807
https://github.com/keycloak/keycloak/commit/41dc94fead4c20560e0dd96c3efbd7bd10a484b6
https://bugzilla.redhat.com/show_bug.cgi?id=1906797
https://issues.redhat.com/plugins/servlet/samlsso
https://github.com/keycloak/keycloak/pull/7790
https://github.com/keycloak/keycloak/commit/9356843c6c3d7097d010b3bb6f91e25fcaba378c
https://bugzilla.redhat.com/show_bug.cgi?id=1953439
https://issues.redhat.com/plugins/servlet/samlsso
https://github.com/keycloak/keycloak/pull/7976
https://github.com/keycloak/keycloak/commit/315b9e3c2970145e03dfaaddc364d588c9ebf060
https://bugzilla.redhat.com/show_bug.cgi?id=1922128
https://issues.redhat.com/plugins/servlet/samlsso
https://github.com/keycloak/keycloak/pull/7859
https://github.com/keycloak/keycloak/commit/853a6d73276849877819f2dc23133557f6e1e601
https://bugzilla.redhat.com/show_bug.cgi?id=1924606
https://issues.redhat.com/plugins/servlet/samlsso
https://github.com/keycloak/keycloak/pull/7868
https://github.com/keycloak/keycloak/commit/3b80eee5bfdf2b80c47465c0f2eaf70074808741
https://security.archlinux.org/CVE-2020-14302
https://security.archlinux.org/CVE-2020-27838
https://security.archlinux.org/CVE-2021-3513
https://security.archlinux.org/CVE-2021-20202
https://security.archlinux.org/CVE-2021-20222

ArchLinux: 202105-6: keycloak: multiple issues

May 20, 2021

Summary

- CVE-2020-14302 (insufficient validation) A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.
- CVE-2020-27838 (information disclosure)
A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later.
- CVE-2021-3513 (information disclosure)
A security issue was found in keycloak before version 13.0.0 where brute force attacks are possible even when the permanent lockout feature is enabled because of the wrong error message that is displayed when wrong credentials are entered.
- CVE-2021-20202 (information disclosure)
A security issue was found in keycloak before version 13.0.0. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory.
- CVE-2021-20222 (cross-site scripting)
A security issue was found in keycloak before version 13.0.0. The new account console in keycloak can allow malicious code to be executed using the referrer URL.

Resolution

Upgrade to 13.0.0-1. # pacman -Syu "keycloak>=13.0.0-1"
The problems have been fixed upstream in version 13.0.0.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1849584 https://issues.redhat.com/plugins/servlet/samlsso https://github.com/keycloak/keycloak/pull/7807 https://github.com/keycloak/keycloak/commit/41dc94fead4c20560e0dd96c3efbd7bd10a484b6 https://bugzilla.redhat.com/show_bug.cgi?id=1906797 https://issues.redhat.com/plugins/servlet/samlsso https://github.com/keycloak/keycloak/pull/7790 https://github.com/keycloak/keycloak/commit/9356843c6c3d7097d010b3bb6f91e25fcaba378c https://bugzilla.redhat.com/show_bug.cgi?id=1953439 https://issues.redhat.com/plugins/servlet/samlsso https://github.com/keycloak/keycloak/pull/7976 https://github.com/keycloak/keycloak/commit/315b9e3c2970145e03dfaaddc364d588c9ebf060 https://bugzilla.redhat.com/show_bug.cgi?id=1922128 https://issues.redhat.com/plugins/servlet/samlsso https://github.com/keycloak/keycloak/pull/7859 https://github.com/keycloak/keycloak/commit/853a6d73276849877819f2dc23133557f6e1e601 https://bugzilla.redhat.com/show_bug.cgi?id=1924606 https://issues.redhat.com/plugins/servlet/samlsso https://github.com/keycloak/keycloak/pull/7868 https://github.com/keycloak/keycloak/commit/3b80eee5bfdf2b80c47465c0f2eaf70074808741 https://security.archlinux.org/CVE-2020-14302 https://security.archlinux.org/CVE-2020-27838 https://security.archlinux.org/CVE-2021-3513 https://security.archlinux.org/CVE-2021-20202 https://security.archlinux.org/CVE-2021-20222

Severity
CVE-2021-20222
Package : keycloak
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1926

Workaround

None.

Related News

21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved