CVE-2019-14909Improper Authentication in Redhat Keycloak

CWE-287Improper AuthenticationCWE-305Authentication Bypass by Primary WeaknessCWE-592DEPRECATED: Authentication Bypass IssuesCWE-306Missing Authentication for Critical Function6 documents6 sources
Severity
8.3HIGHNVD
EPSS
0.3%
top 47.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Keycloak
Timeline
PublishedDec 4
Latest updateMay 24

Description

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.7

Affected Packages2 packages

CVEListV5redhat/keycloakn/a
NVDredhat/keycloak7.0.0, 7.0.1+1

🔴Vulnerability Details

3
OSV
Keycloak Authentication Error2022-05-24
GHSA
Keycloak Authentication Error2022-05-24
CVEList
CVE-2019-14909: A vulnerability was found in Keycloak 72019-12-04

📋Vendor Advisories

1
Red Hat
Keycloak: LDAP authentication accepts invalid passwords with bindType none2019-12-03

💬Community

1
Bugzilla
CVE-2019-14909 Keycloak: LDAP authentication accepts invalid passwords with bindType none2019-11-29
CVE-2019-14909 — Improper Authentication in Redhat | cvebase