CVE-2020-14366

MEDIUM

Keycloak < 12.0.0 - Path Traversal via URL-Encoded Path Segments

Title source: llm
STIX 2.1

Description

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14366

Scores

CVSS v3 6.8
EPSS 0.0038
EPSS Percentile 59.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (2)
org.keycloak/keycloak-parent 0 - 12.0.0Maven
redhat/keycloak < 12.0.0
Published Nov 09, 2020
Tracked Since Feb 18, 2026