What is CVE-2020-10770?

CVE-2020-10770 is a vulnerability in Keycloak, classified under Server-Side Request Forgery (SSRF). Published 2020-12-15.

Is CVE-2020-10770 known to be exploited?

15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SSRF in Keycloak

CVE-2020-10770

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request fo…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.923 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a Keycloak — versions keycloak 13.0.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

Public proof-of-concept exploits

ColdFusionX/Keycloak-12.0.1-CVE-2020-10770
20142995/Goby
20142995/nuclei-templates
ARPSyndicate/cvemon
ARPSyndicate/kenzer-templates
CLincat/vulcat
HimmelAward/Goby_
Live-Hack-CVE/CVE-2020-10770
NyxAzrael/Goby_
Z0fhack/Goby_

References

bugzilla.redhat.com/show_bug.cgi
packetstormsecurity.com/files/164499/Keycloak-12.0.1-Server-Side-Request-Forger…

Frequently asked questions

What is CVE-2020-10770?: CVE-2020-10770 is a vulnerability in Keycloak, classified under Server-Side Request Forgery (SSRF). Published 2020-12-15.
Is CVE-2020-10770 known to be exploited?: 15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.