PT-2020-9607 · Red Hat · Keycloak

Published

2020-01-08

Updated

2021-10-29

CVE-2019-14820

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 8.0.0

Description The issue allows an attacker to access unauthorized information by invoking internal adapter endpoints in org.keycloak.constants.AdapterConstants via a specially-crafted URL.

Recommendations For versions prior to 8.0.0, update to version 8.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the internal adapter endpoints in org.keycloak.constants.AdapterConstants to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2019-14820

GHSA-XFQH-7356-VQJJ

RHSA-2019:3044

RHSA-2019:3045

RHSA-2019:3046

RHSA-2019:3048

RHSA-2019:3049

Affected Products

Keycloak

PT-2020-9607 · Red Hat · Keycloak

CVE-2019-14820

Weakness Enumeration

Related Identifiers

Affected Products

References · 5