CVE-2020-1758
MEDIUMKeycloak < 10.0.0 - Improper Certificate Validation in SMTP TLS Hostname Verification
Title source: llmDescription
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758
Permissions Required, Vendor Advisory x_refsource_misc
https://issues.redhat.com/browse/KEYCLOAK-13285
Scores
CVSS v3
5.3
EPSS
0.0025
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-295
CWE-297
Status
published
Products (3)
org.keycloak/keycloak-parent
0 - 10.0.0Maven
redhat/keycloak
< 10.0.0
redhat/openstack
10
Published
May 15, 2020
Tracked Since
Feb 18, 2026