CVE-2020-1698: Keycloak leaks sensitive information in logged exceptions
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.15604%
CWE
Published
5/24/2022
Updated
4/22/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.keycloak:keycloak-core | maven | < 9.0.0 | 9.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows a critical change in HttpMethod.java
where the exception message was modified from using 'builder' (which includes request parameters) to 'builder.getMethod()' (which only shows the HTTP verb). This directly matches the vulnerability description about password leakage in logged exceptions. The CVE and GHSA both reference this code change as the fix, confirming this function's
role in the vulnerability.