Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak

GHSA-72j4-94rx-cr6w · CVE-2020-1694

Published Feb 9, 2022 · Modified Nov 8, 2023

Description

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-1694
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1790759

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes