First published: Fri Jan 29 2021(Updated: )
This particular vulnerability exists because on unix-like systems (not including MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user. In the worse case scenario, this can lead to a local privilege escalation vulnerability. An attacker can create these directories before the java process creates them, but with wider user permissions. Since these directory names are not in any way random, the attacker can simply create these directories ahead of Keycloak. When this happens, the java process doesn't complain that the directories already exist, `mkdir` and `mkdirs` simply return false. However, assuming that the java process is the first thing to create these directories, `mkdir` and `mkdirs` will only set the directory following the default umask (I believe); by default that means that these directories are created with the permissions `drwxr-xr-x`. Thus allowing a malicious local user to read the contents of this temporary directory. The safest protections are to switch to the `Files` API that allow you to exclusively set the file permissions when creating the directories. Or use the `Files` API's for creating temporary directories. <a href="https://issues.redhat.com/browse/KEYCLOAK-17000">https://issues.redhat.com/browse/KEYCLOAK-17000</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/keycloak | <13.0.0 | 13.0.0 |
Redhat Keycloak | <13.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw in Keycloak is CVE-2021-20202.
CVE-2021-20202 has a severity level of 7.3 (high).
The highest threat from CVE-2021-20202 is unauthorized access to the contents stored in the temporary directory of Keycloak.
Versions up to and excluding 13.0.0 of Keycloak are affected by CVE-2021-20202.
Yes, the recommended fix for CVE-2021-20202 is to update to version 13.0.0 of Keycloak.