CVE-2019-14820

Aliases:GHSA-xfqh-7356-vqjj

Advisory lineage Upstream: 0 Downstream: 5

Downstream

RHSA-2019:3044 RHSA-2019:3045 RHSA-2019:3046 RHSA-2019:3048 RHSA-2019:3049

Modified

Published: 08 Jan 2020, 14:50

Last modified:05 Aug 2024, 00:26

Vulnerability Summary

Overall Risk (default)

low

17/100

CVSS Score

4.3 MEDIUM

v3.0 (cve.org)

EPSS Score

0.31% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

08 Jan 2020, 14:50

Published

Vulnerability first disclosed

05 Aug 2024, 00:26

Last Modified

Vulnerability information updated

Description

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
v3.0•MEDIUM•Score: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.31%• Percentile: 54%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

keycloak•keycloak
fixed in 8.0.0
org.keycloak•keycloak-core
< 8.0.0
redhat•jboss_enterprise_application_platform
6.4.0 | 7.2.0
redhat•jboss_fuse
7.0.0
redhat•keycloak
< 8.0.0
redhat•single_sign-on
7.3