Bug 1749487 (CVE-2019-14832) - CVE-2019-14832 keycloak: cross-realm user access auth bypass
Summary: CVE-2019-14832 keycloak: cross-realm user access auth bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14832
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1749442
TreeView+ depends on / blocked
 
Reported: 2019-09-05 18:15 UTC by Chess Hazlett
Modified: 2020-12-15 15:52 UTC (History)
34 users (show)

Fixed In Version: keycloak 7.0.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Keycloak REST API where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
Clone Of:
Environment:
Last Closed: 2019-10-15 00:51:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3044 0 None None None 2019-10-14 18:28:50 UTC
Red Hat Product Errata RHSA-2019:3045 0 None None None 2019-10-14 18:29:11 UTC
Red Hat Product Errata RHSA-2019:3046 0 None None None 2019-10-14 18:29:29 UTC
Red Hat Product Errata RHSA-2019:3050 0 None None None 2019-10-14 18:59:35 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:26:00 UTC
Red Hat Product Errata RHSA-2020:2366 0 None None None 2020-06-04 13:06:53 UTC

Description Chess Hazlett 2019-09-05 18:15:42 UTC 
Keycloak permits some access to a user in one realm from a user logged into another. An attacker could use this to access restricted information, or carry out further attacks.
Comment 4 errata-xmlrpc 2019-10-14 18:28:49 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044
Comment 5 errata-xmlrpc 2019-10-14 18:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045
Comment 6 errata-xmlrpc 2019-10-14 18:29:27 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046
Comment 7 errata-xmlrpc 2019-10-14 18:59:34 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.4 zip

Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050
Comment 8 Product Security DevOps Team 2019-10-15 00:51:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14832
Comment 9 Rich Main 2019-11-15 17:14:29 UTC 
It appears that the fix was pushed to Keycloak 7.0.1 (see https://github.com/keycloak/keycloak/commit/0b73685ccf3181115ae3936a578708630215ac23), but this bug states that the fix version is keycloak 8.0.0. Could you clarify why there is a discrepancy or perhaps update the fix version here?

If the fix version is really 7.0.1, I would like to get the NVD data updated to reflect that so our security scanning tools don't report a false positive. But, they are keying off of the fix version in this bug. So, I'm hoping to get things cleaned up here and then unwind...

Thanks!
Comment 15 errata-xmlrpc 2020-05-18 10:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 16 errata-xmlrpc 2020-06-04 13:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.12

Via RHSA-2020:2366 https://access.redhat.com/errata/RHSA-2020:2366
Note You need to log in before you can comment on or make changes to this bug.