CVE-2019-14832
Aliases:GHSA-8prc-58j4-m55q
Advisory lineage Upstream: 0 Downstream: 3
Downstream
Modified
Published: 15 Oct 2019, 18:13
Last modified:05 Aug 2024, 00:26
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.38% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
15 Oct 2019, 18:13
Published
Vulnerability first disclosed
05 Aug 2024, 00:26
Last Modified
Vulnerability information updated
Description
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- v3.0•MEDIUM•Score: 5CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
- v2.0•MEDIUM•Score: 6AV:N/AC:M/Au:S/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.38%• Percentile: 60%
Techniques & Countermeasures
- CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Affected Systems
- keycloak•keycloak rest api
< version 8.0.0 | fixed in 8.0.0
- org.keycloak•keycloak-model-infinispan
< 7.0.1
- org.keycloak•keycloak-model-jpa
< 7.0.1
- redhat•keycloak
< 7.0.1