Miggo Logo

CVE-2021-20202: Temporary Directory Hijacking Vulnerability in Keycloak

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.1393%
Published
3/18/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-coremaven< 13.0.013.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using System.getProperty()("java.io.tmpdir") without proper directory creation safeguards. The patches replace these calls with Platform.getPlatform().getTmpDirectory(), indicating these were the vulnerable points. All modified functions shared a pattern of creating directories in the system temp location with predictable names and default permissions, making them susceptible to pre-creation attacks. The functions directly handle temporary directory creation and would appear in stack traces when Keycloak accesses these directories during normal operation or export/import processes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in k*y*lo*k. *ir**tori*s **n ** *r**t** prior to t** J*v* pro**ss *r**tin* t**m in t** t*mpor*ry *ir**tory, *ut wit* wi**r us*r p*rmissions, *llowin* t** *tt**k*r to **v* ****ss to t** *ont*nts t**t k*y*lo*k stor*s in t*is *ir**tory.

Reasoning

T** vuln*r**ility st*mm** *rom usin* `Syst*m.**tProp*rty()`("j*v*.io.tmp*ir") wit*out prop*r *ir**tory *r**tion s****u*r*s. T** p*t***s r*pl*** t**s* **lls wit* `Pl*t*orm.**tPl*t*orm().**tTmp*ir**tory()`, in*i**tin* t**s* w*r* t** vuln*r**l* points.