CVE-2019-14820 — Sensitive Information Exposure in Redhat Keycloak

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 45.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

5

Redhat Keycloak Keycloak Redhat Jboss Enterprise Application Platform +2 more

Timeline

PublishedJan 8

Latest updateApr 15

Description

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDredhat/keycloak< 8.0.0

▶CVEListV5keycloak/keycloakfixed in 8.0.0

▶NVDredhat/jboss_fuse7.0.0

▶NVDredhat/single_sign-on7.3

▶NVDredhat/jboss_enterprise_application_platform6.4.0, 7.2.0+1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

3

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak↗2020-04-15

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak↗2020-04-15

▶

CVEList

CVE-2019-14820: It was found that keycloak before version 8↗2020-01-08

▶

📋Vendor Advisories

1

Red Hat

keycloak: adapter endpoints are exposed via arbitrary URLs↗2019-10-14

▶

💬Community

1

Bugzilla

CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs↗2018-11-14

▶

CVE-2019-14820 — Sensitive Information Exposure | cvebase