CVE-2019-14837 — Use of Hard-coded, Security-relevant Constants in Redhat Keycloak

CWE-547 — Use of Hard-coded, Security-relevant Constants CWE-798 — Hard-coded Credentials6 documents6 sources

Severity

9.1CRITICALNVD

EPSS

1.0%

top 22.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak RED HAT Keycloak Redhat Single Sign-on

Timeline

PublishedJan 7

Latest updateMay 24

Description

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be '[email protected]'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDredhat/keycloak< 8.0.0

▶CVEListV5red_hat/keycloakbefore 8.0.0

▶NVDredhat/single_sign-on7.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

keycloak vulnerable to unauthorized login via mail server setup↗2022-05-24

▶

GHSA

keycloak vulnerable to unauthorized login via mail server setup↗2022-05-24

▶

CVEList

CVE-2019-14837: A flaw was found in keycloack before version 8↗2020-01-07

▶

📋Vendor Advisories

Red Hat

keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure↗2019-12-02

▶

💬Community

Bugzilla

CVE-2019-14837 keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure↗2019-07-16

▶