CVE-2020-1744
Exposure of Sensitive Information in keycloak
5.6
MEDIUM
CVSS 3.1
EPSS 0.19%
Description
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.
How to fix CVE-2020-1744
To remediate CVE-2020-1744, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.1 or later
Is CVE-2020-1744 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |