Bug 1649870 (CVE-2019-14820)
| Summary: | CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aileenc, avibelli, bgeorges, cbyrne, chazlett, cmacedo, cmoulliard, dffrench, drieden, drusso, ggaughan, hghasemb, ikanello, janstey, jbalunas, jmadigan, jochrist, jpadman, jpallich, jshepherd, krathod, lgriffin, lthon, mszynkie, ngough, pdrozd, pgallagh, pwright, rruss, security-response-team, sthorger, trepel, trogers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | keycloak 8.0.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that keycloak exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-15 00:51:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1649873 | ||
|
Description
Laura Pardo
2018-11-14 16:34:10 UTC
This vulnerability is out of security support scope for the following products: * Red Hat Openshift Application Runtimes Spring Boot Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2019:3048 https://access.redhat.com/errata/RHSA-2019:3048 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:3049 https://access.redhat.com/errata/RHSA-2019:3049 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.4 zip Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14820 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067 |