A bug exists in Keycloak 7.x where the user federation LDAP bind type is "none" (LDAP anonymous bind), any password, invalid or valid will be accepted Mitigation: If the LDAP service supports "simple" use that method instead
Acknowledgments: Name: Clément Dufaure
Mitigation: Use bindType:Simple
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14909