ASA-202105-6 log original external raw

[ASA-202105-6] keycloak: multiple issues
Arch Linux Security Advisory ASA-202105-6 ========================================= Severity: High Date : 2021-05-19 CVE-ID : CVE-2020-14302 CVE-2020-27838 CVE-2021-3513 CVE-2021-20202 CVE-2021-20222 Package : keycloak Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1926 Summary ======= The package keycloak before version 13.0.0-1 is vulnerable to multiple issues including cross-site scripting, information disclosure and insufficient validation. Resolution ========== Upgrade to 13.0.0-1. # pacman -Syu "keycloak>=13.0.0-1" The problems have been fixed upstream in version 13.0.0. Workaround ========== None. Description =========== - CVE-2020-14302 (insufficient validation) A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. - CVE-2020-27838 (information disclosure) A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. - CVE-2021-3513 (information disclosure) A security issue was found in keycloak before version 13.0.0 where brute force attacks are possible even when the permanent lockout feature is enabled because of the wrong error message that is displayed when wrong credentials are entered. - CVE-2021-20202 (information disclosure) A security issue was found in keycloak before version 13.0.0. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. - CVE-2021-20222 (cross-site scripting) A security issue was found in keycloak before version 13.0.0. The new account console in keycloak can allow malicious code to be executed using the referrer URL. Impact ====== A remote attacker could perform replay attacks, obtain information about CONFIDENTIAL clients, brute force account credentials, or execute arbitrary code through cross-site scripting. A local attacker could access sensitive information stored in temporary directories. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1849584 https://issues.redhat.com/browse/KEYCLOAK-14483 https://github.com/keycloak/keycloak/pull/7807 https://github.com/keycloak/keycloak/commit/41dc94fead4c20560e0dd96c3efbd7bd10a484b6 https://bugzilla.redhat.com/show_bug.cgi?id=1906797 https://issues.redhat.com/browse/KEYCLOAK-16521 https://github.com/keycloak/keycloak/pull/7790 https://github.com/keycloak/keycloak/commit/9356843c6c3d7097d010b3bb6f91e25fcaba378c https://bugzilla.redhat.com/show_bug.cgi?id=1953439 https://issues.redhat.com/browse/KEYCLOAK-17835 https://github.com/keycloak/keycloak/pull/7976 https://github.com/keycloak/keycloak/commit/315b9e3c2970145e03dfaaddc364d588c9ebf060 https://bugzilla.redhat.com/show_bug.cgi?id=1922128 https://issues.redhat.com/browse/KEYCLOAK-17000 https://github.com/keycloak/keycloak/pull/7859 https://github.com/keycloak/keycloak/commit/853a6d73276849877819f2dc23133557f6e1e601 https://bugzilla.redhat.com/show_bug.cgi?id=1924606 https://issues.redhat.com/browse/KEYCLOAK-17033 https://github.com/keycloak/keycloak/pull/7868 https://github.com/keycloak/keycloak/commit/3b80eee5bfdf2b80c47465c0f2eaf70074808741 https://security.archlinux.org/CVE-2020-14302 https://security.archlinux.org/CVE-2020-27838 https://security.archlinux.org/CVE-2021-3513 https://security.archlinux.org/CVE-2021-20202 https://security.archlinux.org/CVE-2021-20222