{
  "threat_severity" : "Moderate",
  "public_date" : "2020-03-23T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP",
    "id" : "1805792",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1805792"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-755",
  "details" : [ "A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.", "A flaw was found in keycloak. BruteForceProtector does not handle Conditional OTP Authentication Flow login failure events due to these events not being sent to the brute force protection event queue. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Runtimes Spring Boot 2.2.6",
    "release_date" : "2020-06-01T00:00:00Z",
    "advisory" : "RHSA-2020:2252",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "keycloak"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3",
    "release_date" : "2020-03-23T00:00:00Z",
    "advisory" : "RHSA-2020:0951",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 6",
    "release_date" : "2020-03-23T00:00:00Z",
    "advisory" : "RHSA-2020:0945",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6",
    "package" : "rh-sso7-keycloak-0:4.8.18-1.Final_redhat_00001.1.el6sso",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 7",
    "release_date" : "2020-03-23T00:00:00Z",
    "advisory" : "RHSA-2020:0946",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-keycloak-0:4.8.18-1.Final_redhat_00001.1.el7sso",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 8",
    "release_date" : "2020-03-23T00:00:00Z",
    "advisory" : "RHSA-2020:0947",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-keycloak-0:4.8.18-1.Final_redhat_00001.1.el8sso",
    "impact" : "low"
  }, {
    "product_name" : "Text-Only RHOAR",
    "release_date" : "2020-07-23T00:00:00Z",
    "advisory" : "RHSA-2020:2905",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1744\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1744" ],
  "name" : "CVE-2020-1744",
  "csaw" : false
}