CVE-2020-1694
16.09.2020, 19:15
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.Enginsight
| Vendor | Product | Version |
|---|---|---|
| redhat | keycloak | 𝑥 < 10.0.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-183 - Permissive List of Allowed InputsThe product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.