This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Keycloak forces server to call unverified URLs via OIDC `request_uri`. <br>π₯ **Consequences**: Enables **Server-Side Request Forgery (SSRF)**.β¦
π‘οΈ **CWE**: **CWE-918** (SSRF). <br>π **Flaw**: Lack of validation on the URL provided in the `request_uri` parameter. The server blindly trusts and fetches this external input.
Q3Who is affected? (Versions/Components)
π¦ **Product**: Red Hat **Keycloak**. <br>π **Affected**: Versions **12.0.1 and below**. <br>π’ **Vendor**: Red Hat (USA).
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Hackers Can**: Perform **Blind SSRF**. <br>π **Impact**: Port scan localhost, access internal hosts, or bypass network restrictions using the Keycloak server as a proxy.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **LOW**. <br>π **Auth**: **Unauthenticated**. No login required to trigger the vulnerability via the OIDC parameter.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: **YES**. <br>π **PoC**: Available on GitHub (`ColdFusionX/Keycloak-12.0.1-CVE-2020-10770`) and Exploit-DB (**50405**). Python script provided.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for Keycloak instances. <br>π§ͺ **Test**: Send malicious OIDC `request_uri` payloads. <br>π **Tool**: Use Nuclei templates (`CVE-2020-10770.yaml`) for automated detection.
π§ **No Patch?**: Implement strict **URL allowlisting** for `request_uri`. <br>π **Block**: Prevent Keycloak from making outbound requests to internal/private IP ranges via firewall rules.
Q10Is it urgent? (Priority Suggestion)
β οΈ **Urgency**: **HIGH**. <br>π₯ **Reason**: Unauthenticated SSRF allows easy network reconnaissance and potential data exfiltration. Patch ASAP!