CVE-2020-1728
First published: Wed Nov 27 2019(Updated: )
A flaw was found in Keycloak’s Admin Console, where it is missing HTTP security headers in HTTP responses. This issue is not a direct vulnerability and may not lead to a security issue, but increases the chances of allowing attackers to exploit other security flaws. Examples of these possible exploits are servers being prone to clickjacking, channel downgrade attacks, and other similar client-based attack vectors.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Keycloak | <10.0.0 | |
| Quarkus Quarkus | <=1.4.2 | |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el6 | 0:9.0.5-1.redhat_00001.1.el6 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el7 | 0:9.0.5-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el8 | 0:9.0.5-1.redhat_00001.1.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728
- https://issues.redhat.com/browse/KEYCLOAK-12264
- https://access.redhat.com/errata/RHSA-2020:3495
- https://access.redhat.com/errata/RHSA-2020:3496
- https://access.redhat.com/errata/RHSA-2020:3497
- https://access.redhat.com/errata/RHSA-2020:3501
- https://access.redhat.com/security/cve/cve-2020-1728
- https://access.redhat.com/errata/RHSA-2020:3539
- https://access.redhat.com/errata/RHSA-2020:4213
- https://access.redhat.com/errata/RHSA-2020:4252
- https://bugzilla.redhat.com/show_bug.cgi?id=1800585
- https://www.cve.org/CVERecord?id=CVE-2020-1728 https://nvd.nist.gov/vuln/detail/CVE-2020-1728
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-1728?
CVE-2020-1728 is a vulnerability found in all versions of Keycloak where the pages on the Admin Console area of the application are missing general HTTP security headers in HTTP responses.
What is the severity of CVE-2020-1728?
CVE-2020-1728 has a severity level of medium.
How can CVE-2020-1728 be exploited?
CVE-2020-1728 does not directly lead to a security issue, but it might aid attackers in their efforts to exploit other vulnerabilities.
Which versions of Keycloak are affected by CVE-2020-1728?
CVE-2020-1728 affects all versions of Keycloak up to but not including version 10.0.0.
Are there any remediation steps for CVE-2020-1728?
Yes, updating Keycloak to version 10.0.0 or later will address the CVE-2020-1728 vulnerability.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/softwarecombine
- agent/severity
- agent/author
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1728
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/tags
- agent/trending
- package-manager/redhat
- vendor/redhat
- canonical/redhat keycloak
- vendor/quarkus
- canonical/quarkus quarkus
- version/quarkus quarkus/1.4.2