CVE-2019-14910

Critical

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS…

redhat·CWE-287·Published 2019-12-05

CVSS

9.8

EPSS

0.01

KEV

Exploits

cve.orgen

246 chars

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

NVDen

246 chars

OSV.deven

246 chars

GHSAen

246 chars

NVDes

294 chars

Se encontró una vulnerabilidad en keycloak versiones 7.x, cuando keycloak es configurado con LDAP user federation y StartTLS es usado en lugar de SSL/TLS desde el servidor LDAP (ldaps), en este caso la autenticación del usuario tiene éxito inclusive si una contraseña no válida se ha ingresado.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.0	Primary	cve.org	9.3	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
3.0	Primary	cve.org	9.3	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
3.0	Secondary	NVD	9.3	3.9	4.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H