CVE Vulnerabilities

CVE-2020-1724

Insufficient Session Expiration

Published: May 11, 2020 | Modified: Nov 07, 2023
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
4.3 LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Ubuntu

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name Vendor Start Version End Version
Keycloak Redhat * 9.0.2 (excluding)
Red Hat Runtimes Spring Boot 2.2.6 RedHat keycloak *
Red Hat Single Sign On 7.3.8 RedHat *
Red Hat Single Sign-On 7.3 for RHEL 6 RedHat rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el6sso *
Red Hat Single Sign-On 7.3 for RHEL 7 RedHat rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el7sso *
Red Hat Single Sign-On 7.3 for RHEL 8 RedHat rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el8sso *
Text-Only RHOAR RedHat *

Potential Mitigations

References