Vulnerability Details : CVE-2020-1725

A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

Published 2021-01-28 20:15:13

Updated 2021-03-31 12:50:43

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-1725

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 21 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-1725

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:N	8.0	4.9	nvd@nist.gov
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	2.8	2.5	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-1725

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2020-1725

https://issues.redhat.com/browse/KEYCLOAK-16550

Log In | Red Hat IDP
Permissions Required;Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1765129

1765129 – (CVE-2020-1725) CVE-2020-1725 keycloak: improper usage of parsed claims for authorization leads to improper resource access
Issue Tracking;Vendor Advisory

Products affected by CVE-2020-1725

Redhat » Keycloak
Versions before (<) 13.0.0
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Matching versions