CVE-2019-14909

Name of the Vulnerable Software and Affected Versions Keycloak versions 7.x

Description A vulnerability was found in the user federation LDAP bind type, where any password will be accepted if the LDAP bind type is set to none (LDAP anonymous bind). The issue is related to errors in the implementation of the authentication procedure, which can allow a remote attacker to elevate their privileges.

Recommendations For Keycloak version 7.x, consider changing the LDAP bind type from none to a more secure option to mitigate the risk of exploitation. As a temporary workaround, restrict access to the LDAP authentication mechanism until a proper fix is applied.