Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW02bW0tcTg2Mi1qMzY2
Improper Input Validation in Keycloak
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Permalink: https://github.com/advisories/GHSA-m6mm-q862-j366JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW02bW0tcTg2Mi1qMzY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 6 days ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-m6mm-q862-j366, CVE-2020-1714
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1714
- https://github.com/keycloak/keycloak/pull/7053
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
- https://github.com/keycloak/keycloak/commit/33863ba16117844930a38ebde57a25258f5b80fd
- https://github.com/advisories/GHSA-m6mm-q862-j366
Affected Packages
maven:org.keycloak:keycloak-common
Versions: < 11.0.0Fixed in: 11.0.0
maven:org.keycloak:keycloak-core
Versions: < 11.0.0Fixed in: 11.0.0