Keycloak Security Update (MINDBREEZE18131)

ID: MINDBREEZE18131 
Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 5.4 Medium 
Status: Final 
First published: October 28, 2021 
CVEs: CVE-2020-1725, CVE-2020-14302, CVE-2020-10770 

Summary

• CVE-2020-1725: A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. (5.4 Medium) 

• CVE-2020-14302: A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. 

• CVE-2020-10770: A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

Remediation

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

• Mindbreeze InSpire 21.2 Release (Version 21.2.1.1027)

• Mindbreeze InSpire SaaS 21.2 Release (Version 21.2.1.1027)