Keycloak Operator Password Management Flaw in Red Hat Product
CVE-2020-1731

9.1CRITICAL

Key Information:

Vendor
Red Hat
Status
Vendor
CVE Published:
2 March 2020

Summary

A security flaw exists in the Keycloak Operator used for managing Keycloak instances. When deploying Keycloak in an OpenShift environment, the operator generates a random admin password upon installation. However, if instances are redeployed within the same OpenShift namespace, the already generated admin password is reused, leading to potential unauthorized access if the password is not updated. This behavior could result in a security risk, making it essential for users to manage and change passwords proactively.

Affected Version(s)

keycloak all versions of keycloak operator before keycloak operator 8.0.2

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.