CVE-2019-14837
Aliases:GHSA-cf8f-w2c5-p5jr
Advisory lineage Upstream: 0 Downstream: 3
Downstream
Modified
Published: 07 Jan 2020, 16:33
Last modified:05 Aug 2024, 00:26
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.1 CRITICAL
v3.0 (cve.org)
EPSS Score
1.01% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
07 Jan 2020, 16:33
Published
Vulnerability first disclosed
05 Aug 2024, 00:26
Last Modified
Vulnerability information updated
Description
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- v3.0•CRITICAL•Score: 9.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- v2.0•MEDIUM•Score: 6.4AV:N/AC:L/Au:N/C:P/I:P/A:N
EPSS Trends
Current EPSS score: 1.01%• Percentile: 77%
Techniques & Countermeasures
- CWE-798•Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.
- CWE-547•Use of Hard-coded, Security-relevant Constants
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
Affected Systems
- org.keycloak•keycloak-core
< 8.0.0
- red hat•keycloak
< 8.0.0
- redhat•keycloak
< 8.0.0
- redhat•single_sign-on
7.3