{
  "threat_severity" : "Moderate",
  "public_date" : "2020-07-02T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: top-level navigations to data URLs resulting in XSS are possible (incomplete fix of CVE-2020-1697)",
    "id" : "1836786",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1836786"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.", "A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks." ],
  "acknowledgement" : "Red Hat would like to thank Lauritz Holtmann (Chair for Network and Data Security at Ruhr University Bochum) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Single Sign-On 7.4.1",
    "release_date" : "2020-07-02T00:00:00Z",
    "advisory" : "RHSA-2020:2813",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "rh-sso7-keycloak",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10748\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10748" ],
  "name" : "CVE-2020-10748",
  "csaw" : false
}