Question about Keycloak (CVE-2020-10770)

[Ryan Kimmel]

Issue details can be found here https://security.lauritz-holtmann.de/post/sso-security-ssrf/ Seems like this is not a high priority for the keycloak team but in a cloud environment this SSRF issue is much more problematic. I'm essentially looking for a quick answer about when we can roughly expect the keycloak 12 release which will include this fix. In addition I would love a description of the fix just in case I need to fork keycloak in the short term.

[Schuster Sebastian (IOC/PDL22)]

I would suggest to eliminate this parameter on the Reverse Proxy for now…

 

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Project Delivery Berlin 22 (IOC/PDL22)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Threema / Threema Work: MF9VMEAE | Sebastian...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/198d80ca-18e7-4684-9f7e-c240a7c29f8fn%40googlegroups.com.

[Alexei Yarilovets]

Does this CVE fixed in 12.0.4?

[Bruno Oliveira]

It was fixed some time ago on https://issues.redhat.com/browse/KEYCLOAK-14019

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/3d919d24-0e84-4d12-989b-8a11f2e3616dn%40googlegroups.com.

--

- abstractj