CVE-2020-1744

MEDIUM

Keycloak <9.0.1 - Info Disclosure

Title source: llm

Description

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2020-1744

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744

Scores

CVSS v3 5.6

EPSS 0.0033

EPSS Percentile 55.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-755

Status published

Affected Products (2)

redhat/keycloak < 9.0.1

org.keycloak/keycloak-core < 9.0.1Maven

Timeline

Published Mar 24, 2020

Tracked Since Feb 18, 2026