CVE-2020-1758

MEDIUM

Keycloak <10.0.0 - Info Disclosure

Title source: llm

Description

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

References (2)

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758

[Permissions Required, Vendor Advisory] https://issues.redhat.com/browse/KEYCLOAK-13285

Scores

CVSS v3 5.3

EPSS 0.0025

EPSS Percentile 48.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-295 CWE-297

Status published

Affected Products (3)

redhat/keycloak < 10.0.0

redhat/openstack

org.keycloak/keycloak-parent < 10.0.0Maven

Timeline

Published May 15, 2020

Tracked Since Feb 18, 2026