Improper Restriction of Rendered UI Layers or Frames in Keycloak

GHSA-3gg7-9q2x-79fc · CVE-2020-1728

Published Apr 15, 2020 · Modified Dec 2, 2024

Description

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-1728
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728
WEB https://issues.redhat.com/browse/KEYCLOAK-12264

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes