Search for vulnerabilities
Vulnerability details: VCID-k4gc-uaw5-gyer
Vulnerability ID VCID-k4gc-uaw5-gyer
Aliases CVE-2020-1728
GHSA-3gg7-9q2x-79fc
Summary Improper Restriction of Rendered UI Layers or Frames in Keycloak A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
CWE-358 Improperly Implemented Security Check for Standard
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1728.json
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2020-1728
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-3gg7-9q2x-79fc
generic_textual MODERATE https://issues.redhat.com/browse/KEYCLOAK-12264
cvssv2 5.8 https://nvd.nist.gov/vuln/detail/CVE-2020-1728
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2020-1728
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-1728
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1728.json
https://api.first.org/data/v1/epss?cve=CVE-2020-1728
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728
https://issues.redhat.com/browse/KEYCLOAK-12264
https://nvd.nist.gov/vuln/detail/CVE-2020-1728
1800585 https://bugzilla.redhat.com/show_bug.cgi?id=1800585
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
GHSA-3gg7-9q2x-79fc https://github.com/advisories/GHSA-3gg7-9q2x-79fc
RHSA-2020:3495 https://access.redhat.com/errata/RHSA-2020:3495
RHSA-2020:3496 https://access.redhat.com/errata/RHSA-2020:3496
RHSA-2020:3497 https://access.redhat.com/errata/RHSA-2020:3497
RHSA-2020:4213 https://access.redhat.com/errata/RHSA-2020:4213
RHSA-2020:4252 https://access.redhat.com/errata/RHSA-2020:4252
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1728.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-1728
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-1728
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.33879
EPSS Score 0.00134
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:46:04.413911+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-3gg7-9q2x-79fc/GHSA-3gg7-9q2x-79fc.json 37.0.0