CVE-2019-14832
First published: Thu Sep 05 2019(Updated: )
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.keycloak:keycloak-model-jpa | <7.0.1 | 7.0.1 |
| maven/org.keycloak:keycloak-model-infinispan | <7.0.1 | 7.0.1 |
| Redhat Keycloak | <7.0.1 | |
| redhat/rh-sso7-keycloak | <0:4.8.13-1.Final_redhat_00001.1.el6 | 0:4.8.13-1.Final_redhat_00001.1.el6 |
| redhat/rh-sso7-keycloak | <0:4.8.13-1.Final_redhat_00001.1.el7 | 0:4.8.13-1.Final_redhat_00001.1.el7 |
| redhat/rh-sso7-libunix-dbus-java | <0:0.8.0-2.el7 | 0:0.8.0-2.el7 |
| redhat/rh-sso7-keycloak | <0:4.8.13-1.Final_redhat_00001.1.el8 | 0:4.8.13-1.Final_redhat_00001.1.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-14832
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14832
- https://github.com/keycloak/keycloak/commit/0b73685ccf3181115ae3936a578708630215ac23
- https://github.com/advisories/GHSA-8prc-58j4-m55q (Advisory)
- https://access.redhat.com/errata/RHSA-2019:3044
- https://access.redhat.com/errata/RHSA-2019:3045
- https://access.redhat.com/errata/RHSA-2019:3046
- https://access.redhat.com/errata/RHSA-2019:3050
- https://access.redhat.com/security/cve/cve-2019-14832
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/errata/RHSA-2020:2366
- https://bugzilla.redhat.com/show_bug.cgi?id=1749487
- https://www.cve.org/CVERecord?id=CVE-2019-14832 https://nvd.nist.gov/vuln/detail/CVE-2019-14832
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-14832?
CVE-2019-14832 is a vulnerability in the Keycloak REST API that allows unauthorized access to user information.
What is the severity of CVE-2019-14832?
CVE-2019-14832 has a severity rating of 7.5 (high).
How does CVE-2019-14832 impact Keycloak before version 7.0.1?
CVE-2019-14832 allows an authenticated attacker with knowledge of a user id to access unauthorized information or carry out unauthorized actions.
How do I fix the CVE-2019-14832 vulnerability?
To fix the CVE-2019-14832 vulnerability, update Keycloak to version 7.0.1 or later.
Are there any additional references for CVE-2019-14832?
Yes, you can refer to the following links for more information on CVE-2019-14832: [Reference 1](https://access.redhat.com/errata/RHSA-2019:3044), [Reference 2](https://access.redhat.com/errata/RHSA-2019:3045), [Reference 3](https://access.redhat.com/errata/RHSA-2019:3046).
- collector/github-advisory
- alias/GHSA-8prc-58j4-m55q
- alias/CVE-2019-14832
- collector/github-advisory-latest
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/references
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/maven
- package-manager/redhat
- vendor/redhat
- canonical/redhat keycloak