When using Keycloak LDAP user federation with StartTLS any password, valid or invalid will be accepted Mitigation: * If possible use SSL (ldaps) instead * Disable StartTLS
Acknowledgments: Name: Tero Saarni
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14910
Statement: This flaw does not affect Red Hat's Single Sign On (RHSSO) product and, thus, no patch will be forthcoming.
Mitigation: Disabling STARTTLS will fix the authentication flaw but leave the connection to the LDAP server unencrypted. Utilizing LDAPS will add a layer of encryption back to the LDAP connection but only at the SSLv3 level which also poses problems in and of itself.