An information disclosure vulnerability exists in the challenge functionality of instipod DuoUniversalKeycloakAuthenticator 1.0.7 plugin. A specially crafted HTTP request can lead to a disclosure of sensitive information. A user logging into Keycloak using DuoUniversalKeycloakAuthenticator plugin triggers this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
| talos-cna@cisco.com | 4.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N | 0.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| michaelkelly | duouniversalkeycloakauthenticator | * |