First published: Tue Jan 14 2020(Updated: )
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Keycloak | <10.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-1694 is a vulnerability found in all versions of Keycloak before 10.0.0 where the NodeJS adapter did not support the verify-token-audience.
The severity of CVE-2020-1694 is medium with a score of 4.9.
CVE-2020-1694 allows some users to have access to sensitive information outside of their permissions in Keycloak.
To fix CVE-2020-1694, upgrade to Keycloak version 10.0.0 or later.
You can find more information about CVE-2020-1694 in the following references: [CVE-2020-1694](https://www.cve.org/CVERecord?id=CVE-2020-1694), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-1694), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1790759), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2020:2813).