Miggo Logo
Miggo Vulnerability Database
CVE-2020-1731

CVE-2020-1731: Predictable password in Keycloak

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-1731
GHSA ID
GHSA-6pmv-7pr9-cgrj
EPSS Score
0.59222%
CWE
CWE-330
Published
4/15/2020
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-coremaven< 8.0.28.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided GitHub patches (commit 5c549575) address event logging changes (removal of CLIENT_SESSION_STATE/HOST details) rather than password generation logic. The CVE-2020-1731 vulnerability specifically relates to predictable admin password generation in the Keycloak operator, but:

  1. The analyzed patches modify protocol handling and test cases, not operator deployment logic
  2. No code related to password generation/initialization is present in the provided files
  3. The operator component (where the vulnerability exists) isn't represented in the provided patches
  4. The commit message references 'KEYCLOAK-12228 Sensitive Data Exposure', which aligns with the patch changes but not the password predictability issue Without evidence of password generation functions in the provided patches, we cannot confidently identify vulnerable runtime indicators.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in *ll v*rsions o* t** K*y*lo*k op*r*tor, ***or* v*rsion *.*.*,(*ommunity only) w**r* t** op*r*tor **n*r*t*s * r*n*om **min p*sswor* w**n inst*llin* K*y*lo*k, *ow*v*r t** p*sswor* r*m*ins t** s*m* w**n **ploy** to t** s*m* Op*nS*i*t

Reasoning

T** provi*** *it*u* p*t***s (*ommit ********) ***r*ss *v*nt lo**in* ***n**s (r*mov*l o* *LI*NT_S*SSION_ST*T*/*OST **t*ils) r*t**r t**n p*sswor* **n*r*tion lo*i*. T** *V*-****-**** vuln*r**ility sp**i*i**lly r*l*t*s to pr**i*t**l* **min p*sswor* **n*r