CVE-2020-1758
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak
5.9
MEDIUM
CVSS 3.1
EPSS 0.25%
Description
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
How to fix CVE-2020-1758
To remediate CVE-2020-1758, upgrade the affected package to a fixed version below.
- —upgrade to 10.0.0 or later
Is CVE-2020-1758 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 10.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |