CVE-2020-1717 #28172

canon-cmre-benoit-lecardonnel · 2024-03-22T14:01:24Z

canon-cmre-benoit-lecardonnel
Mar 22, 2024

Hello,

Our instance of Dependency-Track has flagged the keycloak-services 23.0.7 JAR: it says it's impacted by CVE-2020-1717.
There is little info available online about this CVE, so not sure whether it is still valid for recent KC versions.
Maybe there is some info at https://issues.redhat.com/browse/KEYCLOAK-12014, but I cannot access that page.

Do you know about this CVE? Does it still impact KC 23.0.7?

Thanks,
Ben

abstractj · 2024-03-25T19:41:52Z

abstractj
Mar 25, 2024
Maintainer

@canon-cmre-benoit-lecardonnel CVE-2020-1717 is a vulnerability found in Keycloak version 7.0.1, actually we are at Keycloak 24.0.2. We strongly advise our users to upgrade, so they can benefit from the security updates.

7 replies

jonkoops Mar 28, 2024
Collaborator

Still upgrade to Keycloak 24 if you want to be secure, we don't support versions of Keycloak other than the current major.

canon-cmre-steve-magness Mar 29, 2024

So was this vulnerability specifically fixed in Keycloak v24 and versions v7 through v23 are exposed, or was it fixed during/after v7 and v23 is not exposed? Trying to determine if it is a False Positive for v23 given the CVE only mentions v7.0.1 specifically.

I appreciate we should still upgrade to Keycloak 24 eventually, but that's not quite what is being asked.

abstractj Apr 1, 2024
Maintainer

User enumeration is considered a weakness by our team considering that there are several ways if of mitigating this issue. The CVE mentioned, from what I checked, reported on Keycloak 7 and due to the agreement of handling it as a weakness was not fixed.

For the list of issues around this topic, please check https://github.com/keycloak/keycloak/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+user+enumeration.

canon-cmre-benoit-lecardonnel Apr 1, 2024
Author

there are several ways if of mitigating this issue.

Can you explain what the mitigations are for this issue? I'd like to check we have them in place in our installations.

Thanks

codespearhead Apr 4, 2024

A more straightforward report of this CVE can be found here.

As explained in #17629 , this type of brute force attack in particular will only affect Keycloak if there's no WAF in front of it doing its part.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-1717 #28172

{{title}}

Replies: 1 comment 7 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

CVE-2020-1717 #28172

canon-cmre-benoit-lecardonnel Mar 22, 2024

Replies: 1 comment · 7 replies

abstractj Mar 25, 2024 Maintainer

jonkoops Mar 28, 2024 Collaborator

canon-cmre-steve-magness Mar 29, 2024

abstractj Apr 1, 2024 Maintainer

canon-cmre-benoit-lecardonnel Apr 1, 2024 Author

codespearhead Apr 4, 2024

canon-cmre-benoit-lecardonnel
Mar 22, 2024

Replies: 1 comment 7 replies

abstractj
Mar 25, 2024
Maintainer

jonkoops Mar 28, 2024
Collaborator

abstractj Apr 1, 2024
Maintainer

canon-cmre-benoit-lecardonnel Apr 1, 2024
Author