CVE-2020-1718

Vulnerability

Description

CVE-2020-1718 is a flaw in the reset credential flow of Keycloak versions prior to 8.0.0. When an alternative subflow is present in the reset flow configuration, the authentication checks can be bypassed, allowing an attacker to connect to an application without providing valid credentials [1].

Exploitation

An attacker can exploit this vulnerability by initiating the password reset process on a vulnerable Keycloak instance. If the reset flow includes an alternative subflow that does not properly validate credentials, the attacker may complete the flow and gain authenticated access without knowing the user's password. No prior authentication or special privileges are required, making it exploitable remotely [1].

Impact

Successful exploitation grants the attacker unauthorized access to the target application as the user whose password reset was triggered. This can lead to data exposure, privilege escalation, and further compromise of the system [2].

Mitigation

The issue is resolved in Keycloak 8.0.0 and later. Red Hat Single Sign-On 7.3 for RHEL 6, 7, and 8 includes the fix via RHSA-2020:2106, RHSA-2020:2107, and RHSA-2020:2108 [1]. As a workaround, administrators can disable the reset credential flow entirely until the update is applied [1].