{
  "threat_severity" : "Moderate",
  "public_date" : "2020-05-12T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: improper verification of certificate with host mismatch could result in information disclosure",
    "id" : "1812514",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1812514"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-297",
  "details" : [ "A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.", "A flaw was found in Keycloak, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack." ],
  "acknowledgement" : "Red Hat would like to thank Peter Stöckli for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Single Sign On 7.3.8",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2112",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 6",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2106",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6",
    "package" : "rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el6sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 7",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2107",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 8",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2108",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el8sso"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1758\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1758\nhttps://issues.redhat.com/browse/KEYCLOAK-13285" ],
  "name" : "CVE-2020-1758",
  "mitigation" : {
    "value" : "Turn off all kinds of email notifications including password reset mails.",
    "lang" : "en:us"
  },
  "csaw" : false
}