logo

Database

Authentication mechanism absence or evasion In org.keycloak:keycloak-core

Description

keycloak vulnerable to unauthorized login via mail server setup A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be '[email protected]'.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-148372. NVD-2019-148373. OSV-2019-148374. GCVE-2019-14837

References

1. https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f2. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-148373. https://issues.jboss.org/browse/KEYCLOAK-10780

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.