CVE-2020-1714

HIGH8.8EPSS 2.2%

Improper Input Validation in Keycloak

Published: 2/9/2022Modified: 2/16/2024

Description

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

Affected packages (2)

Maven/org.keycloak:keycloak-commonfrom 0, < 11.0.0
Maven/org.keycloak:keycloak-corefrom 0, < 11.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1714
PATCHhttps://github.com/keycloak/keycloak
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
WEBhttps://github.com/keycloak/keycloak/commit/33863ba16117844930a38ebde57a25258f5b80fd
WEBhttps://github.com/keycloak/keycloak/pull/7053