PT-2020-2764 · Red Hat · Keycloak

Marian Rehak

Published

2020-01-07

Updated

2022-05-24

CVE-2019-14837

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 8.0.0

Description A flaw in Keycloak allows the owner of a domain to set up a mail server and reset a client's password, knowing only the client's name. For instance, a client named 'test' would have an email address like 'service-account-test@placeholder.org'. This issue is related to the use of predefined registration data, which can be exploited by a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 8.0.0, update to version 8.0.0 or later to resolve the issue.

Exploit

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-547

Related Identifiers

BDU:2020-02856

CVE-2019-14837

GHSA-CF8F-W2C5-P5JR

RHSA-2019:4040

RHSA-2019:4041

RHSA-2019:4042

Affected Products

Keycloak

PT-2020-2764 · Red Hat · Keycloak

CVE-2019-14837

Weakness Enumeration

Related Identifiers

Affected Products

References · 9