TLS Hostname Verification Flaw in Keycloak by Red Hat
CVE-2020-1758

5.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Keycloak
Vendor: CVE Published:; 15 May 2020

Summary

A flaw in Keycloak versions prior to 10.0.0 allows attackers to circumvent TLS hostname verification when sending emails via an SMTP server. This oversight can enable a man-in-the-middle (MITM) attack, compromising sensitive email communications and exposing personal information. Proper security measures should be implemented to mitigate the risk of unauthorized intercepts during email transmissions, thus ensuring the integrity and confidentiality of the data.

Affected Version(s)

keycloak keycloak versions before 10.0.0

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758

x_refsource_CONFIRM

https://issues.redhat.com/browse/KEYCLOAK-13285

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 15, 2020
Vulnerability Reserved
Nov 27, 2019