CVE-2020-1758

MEDIUM5.9EPSS 0.25%

Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak

Published: 2/9/2022Modified: 11/8/2023

Description

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

Affected packages (1)

Maven/org.keycloak:keycloak-parentfrom 0, < 10.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1758
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758
WEBhttps://issues.redhat.com/browse/KEYCLOAK-13285