Keycloak Information Disclosure

medium Web App Scanning Plugin ID 114260

Language:

Synopsis

Keycloak Information Disclosure

Description

Keycloak versions before 13.0.0 suffer from an information disclosure vulnerability. By requesting the client registration endpoint, a remote and unauthenticated attacker could retrieve information about public clients which could be sensitive if these clients move to the 'confidential' access type.

Solution

Upgrade to Keycloak version 13.0.0 or later.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1906797

Plugin Details

Severity: Medium

ID: 114260

Type: remote

Family: Component Vulnerability

Published: 4/22/2024

Updated: 4/22/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-27838

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS Score Source: CVE-2020-27838

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/8/2021

Vulnerability Publication Date: 3/8/2021

Reference Information

CVE: CVE-2020-27838

CWE: 287

OWASP: 2010-A3, 2013-A2, 2013-A9, 2017-A2, 2017-A9, 2021-A6, 2021-A7

WASC: Insufficient Authentication

CAPEC: 114, 115, 151, 194, 22, 57, 593, 633, 650, 94

DISA STIG: APSC-DV-000460, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1

PCI-DSS: 3.2-6.2, 3.2-6.5.10