CVE-2020-1714

CWE-20 — Improper Input Validation7 documents6 sources

Severity

8.8HIGH

EPSS

2.2%

top 15.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7

Redhat Keycloak Quarkus Quarkus RED HAT Keycloak +4 more

Timeline

PublishedMay 13

Latest updateFeb 9

Description

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

▶NVDredhat/keycloak< 11.0.0

▶Mavenorg.keycloak:keycloak-core< 11.0.0

▶Mavenorg.keycloak:keycloak-common< 11.0.0

▶CVEListV5red_hat/keycloakbefore 11.0.0

▶NVDquarkus/quarkus1.4.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

3

OSV

Improper Input Validation in Keycloak↗2022-02-09

▶

GHSA

Improper Input Validation in Keycloak↗2022-02-09

▶

CVEList

CVE-2020-1714: A flaw was found in Keycloak before version 11↗2020-05-13

▶

📋Vendor Advisories

1

Red Hat

keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution↗2020-05-11

▶

💬Community

2

Bugzilla

CVE-2020-25665 ImageMagick: heap-based buffer overflow in WritePALMImage in coders/palm.c↗2020-10-26

▶

Bugzilla

CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution↗2019-05-03

▶