1906797 – (CVE-2020-27838) CVE-2020-27838 keycloak: Exploiting the client registration API

Bug 1906797 (CVE-2020-27838) - CVE-2020-27838 keycloak: Exploiting the client registration API

Summary: CVE-2020-27838 keycloak: Exploiting the client registration API

Keywords:
Status:	NEW
Alias:	CVE-2020-27838
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1904057
TreeView+	depends on / blocked

Reported:	2020-12-11 12:26 UTC by Paramvir jindal
Modified:	2024-02-01 19:12 UTC (History)
CC List:	28 users (show)
See Also:	https://issues.redhat.com/browse/KEYCLOAK-16612
Fixed In Version:	keycloak 13.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in keycloak. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Paramvir jindal 2020-12-11 12:26:34 UTC

Client registration endpoints should not allow fetching information about public clients without authentication.
https://issues.redhat.com/browse/KEYCLOAK-16521

Comment 4 Paramvir jindal 2021-02-19 14:12:00 UTC

Acknowledgments:

Name: Adam Devoe (SemaTree Inc.)

Comment 20 Patrick Del Bello 2024-02-01 19:12:25 UTC

According to the Jira issue this was fixed in RHSSO 7.5.0

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
anstephe
avibelli
bgeorges
chazlett
cmoulliard
dkreling
ganandan
gmalinko
ibek
ikanello
janstey
jochrist
jpallich
jwon
kverlaen
lthon
mnovotny
mvk37
pantinor
pdrozd
pgallagh
pjindal
rruss
sdaley
sthorger