Moderate severityNVD Advisory· Published Dec 15, 2020· Updated Aug 4, 2024
CVE-2020-10770
CVE-2020-10770
Description
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 13.0.0 | 13.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-jh7q-5mwf-qvhwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10770ghsaADVISORY
- packetstormsecurity.com/files/164499/Keycloak-12.0.1-Server-Side-Request-Forgery.htmlghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/keycloak/keycloak-documentation/pull/1086ghsaWEB
- github.com/keycloak/keycloak/pull/7714ghsaWEB
- issues.redhat.com/browse/KEYCLOAK-14019ghsaWEB
- issues.redhat.com/browse/KEYCLOAK-3426ghsaWEB
News mentions
0No linked articles in our index yet.