Arch Linux 802 Published by

A keycloak security update has been released for Arch Linux.



ASA-202105-6: keycloak: multiple issues


Arch Linux Security Advisory ASA-202105-6
========================================
Severity: High
Date : 2021-05-19
CVE-ID : CVE-2020-14302 CVE-2020-27838 CVE-2021-3513 CVE-2021-20202
CVE-2021-20222
Package : keycloak
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-1926

Summary
======
The package keycloak before version 13.0.0-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure and
insufficient validation.

Resolution
=========
Upgrade to 13.0.0-1.

# pacman -Syu "keycloak>.0.0-1"

The problems have been fixed upstream in version 13.0.0.

Workaround
=========
None.

Description
==========
- CVE-2020-14302 (insufficient validation)

A flaw was found in Keycloak before 13.0.0 where an external identity
provider, after successful authentication, redirects to a Keycloak
endpoint that accepts multiple invocations with the use of the same
"state" parameter. This flaw allows a malicious user to perform replay
attacks.

- CVE-2020-27838 (information disclosure)

A security issue was found in keycloak in versions prior to 13.0.0. The
client registration endpoint allows fetching information about PUBLIC
clients (like client secret) without authentication which could be an
issue if the same PUBLIC client changed to CONFIDENTIAL later.

- CVE-2021-3513 (information disclosure)

A security issue was found in keycloak before version 13.0.0 where
brute force attacks are possible even when the permanent lockout
feature is enabled because of the wrong error message that is displayed
when wrong credentials are entered.

- CVE-2021-20202 (information disclosure)

A security issue was found in keycloak before version 13.0.0.
Directories can be created prior to the Java process creating them in
the temporary directory, but with wider user permissions, allowing the
attacker to have access to the contents that keycloak stores in this
directory.

- CVE-2021-20222 (cross-site scripting)

A security issue was found in keycloak before version 13.0.0. The new
account console in keycloak can allow malicious code to be executed
using the referrer URL.

Impact
=====
A remote attacker could perform replay attacks, obtain information
about CONFIDENTIAL clients, brute force account credentials, or execute
arbitrary code through cross-site scripting. A local attacker could
access sensitive information stored in temporary directories.

References
=========
  https://bugzilla.redhat.com/show_bug.cgi?id49584
  https://issues.redhat.com/browse/KEYCLOAK-14483
  https://github.com/keycloak/keycloak/pull/7807
  https://github.com/keycloak/keycloak/commit/41dc94fead4c20560e0dd96c3efbd7bd10a484b6
  https://bugzilla.redhat.com/show_bug.cgi?id06797
  https://issues.redhat.com/browse/KEYCLOAK-16521
  https://github.com/keycloak/keycloak/pull/7790
  https://github.com/keycloak/keycloak/commit/9356843c6c3d7097d010b3bb6f91e25fcaba378c
  https://bugzilla.redhat.com/show_bug.cgi?id53439
  https://issues.redhat.com/browse/KEYCLOAK-17835
  https://github.com/keycloak/keycloak/pull/7976
  https://github.com/keycloak/keycloak/commit/315b9e3c2970145e03dfaaddc364d588c9ebf060
  https://bugzilla.redhat.com/show_bug.cgi?id22128
  https://issues.redhat.com/browse/KEYCLOAK-17000
  https://github.com/keycloak/keycloak/pull/7859
  https://github.com/keycloak/keycloak/commit/853a6d73276849877819f2dc23133557f6e1e601
  https://bugzilla.redhat.com/show_bug.cgi?id24606
  https://issues.redhat.com/browse/KEYCLOAK-17033
  https://github.com/keycloak/keycloak/pull/7868
  https://github.com/keycloak/keycloak/commit/3b80eee5bfdf2b80c47465c0f2eaf70074808741
  https://security.archlinux.org/CVE-2020-14302
  https://security.archlinux.org/CVE-2020-27838
  https://security.archlinux.org/CVE-2021-3513
  https://security.archlinux.org/CVE-2021-20202
  https://security.archlinux.org/CVE-2021-20222