{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-1744", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-04T06:46:30.879Z", "dateReserved": "2019-11-27T00:00:00", "datePublished": "2020-03-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events."}], "affected": [{"vendor": "Red Hat", "product": "keycloak", "versions": [{"version": "all keycloak versions prior to 9.0.1", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744"}, {"url": "https://access.redhat.com/security/cve/CVE-2020-1744"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-755", "cweId": "CWE-755"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:46:30.879Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2020-1744", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "23787EE3-4659-4D20-8473-C7237168FDB9", "versionEndExcluding": "9.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events."}, {"lang": "es", "value": "Se descubri\u00f3 un fallo en keycloak versiones anteriores a la versi\u00f3n 9.0.1. Cuando se configura un Conditional OTP Authentication Flow como un flujo posterior al inicio de sesi\u00f3n de un IDP, los eventos de inicio de sesi\u00f3n fallidos para OTP no son enviados hacia la cola de eventos de protecci\u00f3n de fuerza bruta. Entonces BruteForceProtector no maneja estos eventos."}], "id": "CVE-2020-1744", "lastModified": "2023-11-07T03:19:32.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-03-24T14:15:13.293", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2020-1744"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-755"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:2252", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "keycloak", "product_name": "Red Hat Runtimes Spring Boot 2.2.6", "release_date": "2020-06-01T00:00:00Z"}, {"advisory": "RHSA-2020:0951", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.3", "product_name": "Red Hat Single Sign-On 7.3", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:0945", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el6", "impact": "low", "package": "rh-sso7-keycloak-0:4.8.18-1.Final_redhat_00001.1.el6sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 6", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:0946", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el7", "impact": "low", "package": "rh-sso7-keycloak-0:4.8.18-1.Final_redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 7", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:0947", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el8", "impact": "low", "package": "rh-sso7-keycloak-0:4.8.18-1.Final_redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 8", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:2905", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "product_name": "Text-Only RHOAR", "release_date": "2020-07-23T00:00:00Z"}], "bugzilla": {"description": "keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP", "id": "1805792", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805792"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-755", "details": ["A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.", "A flaw was found in keycloak. BruteForceProtector does not handle Conditional OTP Authentication Flow login failure events due to these events not being sent to the brute force protection event queue. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2020-1744", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "impact": "low", "package_name": "keycloak", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "impact": "low", "package_name": "keycloak", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "impact": "low", "package_name": "keycloak", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2020-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-1744\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1744"], "threat_severity": "Moderate", "upstream_fix": "keycloak 9.0.1"}