Fluid Attacks Database

Description

Improper Input Validation in Keycloak A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-core	>=0 <11.0.0	11.0.0
maven	org.keycloak:keycloak-common	>=0 <11.0.0	11.0.0
maven	org.keycloak:keycloak-parent	<0	-

Aliases

1. CVE-2020-17142. NVD-2020-17143. OSV-2020-17144. GHSA-m6mm-q862-j3665. GCVE-2020-17146. bugzilla.redhat.com

References

1. https://github.com/keycloak/keycloak/pull/70532. https://github.com/keycloak/keycloak/commit/33863ba16117844930a38ebde57a25258f5b80fd3. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.