CVE-2020-1758

EPSS 0.25%
Veröffentlicht 15.05.2020 19:15:12
Zuletzt bearbeitet 21.11.2024 05:11:19
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version < 10.0.0

Redhat ≫ Openstack Version10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.486

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
secalert@redhat.com	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-297 Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758

Vendor Advisory

Issue Tracking

https://issues.redhat.com/browse/KEYCLOAK-13285

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2020-1758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-1758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-1758

EUVD