Critical severityNVD Advisory· Published Dec 5, 2019· Updated Aug 5, 2024

CVE-2019-14910

Description

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-parentMaven	>= 7.0.0, <= 7.0.1	—

Affected products

N/a/Keycloakv5
Range: n/a

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jf86-9434-f8c2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-14910ghsaADVISORY
access.redhat.com/security/cve/cve-2019-14910ghsaWEB
bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000