Exposure of Sensitive Information in keycloak

GHSA-4gf2-xv97-63m2 · CVE-2020-1744

Published Sep 20, 2021 · Modified Nov 8, 2023

Description

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-1744
WEB https://access.redhat.com/security/cve/CVE-2020-1744
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes