Bug 1749487 (CVE-2019-14832)

Summary: CVE-2019-14832 keycloak: cross-realm user access auth bypass
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, avibelli, bgeorges, cbyrne, chazlett, cmacedo, cmoulliard, dffrench, dkreling, drieden, drusso, ggaughan, ikanello, janstey, jbalunas, jmadigan, jochrist, jpallich, jshepherd, jwon, krathod, lthon, mszynkie, ngough, pdrozd, pgallagh, pjindal, pwright, rich.main, rruss, security-response-team, sthorger, trepel, trogers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 7.0.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Keycloak REST API where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-15 00:51:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1749442    

Description Chess Hazlett 2019-09-05 18:15:42 UTC 
Keycloak permits some access to a user in one realm from a user logged into another. An attacker could use this to access restricted information, or carry out further attacks.
Comment 4 errata-xmlrpc 2019-10-14 18:28:49 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044
Comment 5 errata-xmlrpc 2019-10-14 18:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045
Comment 6 errata-xmlrpc 2019-10-14 18:29:27 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046
Comment 7 errata-xmlrpc 2019-10-14 18:59:34 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.4 zip

Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050
Comment 8 Product Security DevOps Team 2019-10-15 00:51:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14832
Comment 9 Rich Main 2019-11-15 17:14:29 UTC 
It appears that the fix was pushed to Keycloak 7.0.1 (see https://github.com/keycloak/keycloak/commit/0b73685ccf3181115ae3936a578708630215ac23), but this bug states that the fix version is keycloak 8.0.0. Could you clarify why there is a discrepancy or perhaps update the fix version here?

If the fix version is really 7.0.1, I would like to get the NVD data updated to reflect that so our security scanning tools don't report a false positive. But, they are keying off of the fix version in this bug. So, I'm hoping to get things cleaned up here and then unwind...

Thanks!
Comment 15 errata-xmlrpc 2020-05-18 10:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 16 errata-xmlrpc 2020-06-04 13:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.12

Via RHSA-2020:2366 https://access.redhat.com/errata/RHSA-2020:2366