{
  "threat_severity" : "Important",
  "public_date" : "2020-05-12T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: security issue on reset credential flow",
    "id" : "1796756",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1796756"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-287",
  "details" : [ "A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.", "A flaw was found in the reset credential flow in Keycloak. This flaw allows an attacker to gain unauthorized access to the application." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "release_date" : "2020-07-29T00:00:00Z",
    "advisory" : "RHSA-2020:3196",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8",
    "package" : "keycloak",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "release_date" : "2020-07-29T00:00:00Z",
    "advisory" : "RHSA-2020:3197",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8",
    "package" : "keycloak",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Runtimes Spring Boot 2.2.6",
    "release_date" : "2020-06-01T00:00:00Z",
    "advisory" : "RHSA-2020:2252",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "keycloak"
  }, {
    "product_name" : "Red Hat Single Sign On 7.3.8",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2112",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 6",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2106",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6",
    "package" : "rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el6sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 7",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2107",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 8",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2108",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el8sso"
  }, {
    "product_name" : "Text-Only RHOAR",
    "release_date" : "2020-07-23T00:00:00Z",
    "advisory" : "RHSA-2020:2905",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1718\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1718" ],
  "name" : "CVE-2020-1718",
  "mitigation" : {
    "value" : "Disable reset credential flow.",
    "lang" : "en:us"
  },
  "csaw" : false
}