A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
CVE-2020-10770 - Medium Severity Vulnerability
Keycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/keycloak/keycloak-core/11.0.0-alfresco-001/keycloak-core-11.0.0-alfresco-001.jar
Dependency Hierarchy: - :x: **keycloak-core-11.0.0-alfresco-001.jar** (Vulnerable Library)
Found in HEAD commit: 53019ef94e0bd9570f6d298f12cfbcfe3da234c2
Found in base branch: master
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Publish Date: 2020-12-15
URL: CVE-2020-10770
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-jh7q-5mwf-qvhw
Release Date: 2020-12-15
Fix Resolution: org.keycloak:keycloak-core:13.0.0
Step up your Open Source Security Game with Mend here