Keycloak Operator Password Management Flaw in Red Hat Product
CVE-2020-1731

9.1CRITICAL

Key Information:

Vendor: Red Hat
Status: Keycloak
Vendor: CVE Published:; 2 March 2020

Summary

A security flaw exists in the Keycloak Operator used for managing Keycloak instances. When deploying Keycloak in an OpenShift environment, the operator generates a random admin password upon installation. However, if instances are redeployed within the same OpenShift namespace, the already generated admin password is reused, leading to potential unauthorized access if the password is not updated. This behavior could result in a security risk, making it essential for users to manage and change passwords proactively.

Affected Version(s)

keycloak all versions of keycloak operator before keycloak operator 8.0.2

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1731

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 2, 2020
Vulnerability Reserved
Nov 27, 2019