CVE-2020-1758

EPSS 0.25%
Published 15.05.2020 19:15:12
Last modified 21.11.2024 05:11:19
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version < 10.0.0

Redhat ≫ Openstack Version10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.25%	0.486

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
secalert@redhat.com	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-297 Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758

Vendor Advisory

Issue Tracking

https://issues.redhat.com/browse/KEYCLOAK-13285

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2020-1758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-1758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-1758

EUVD