critical
9.1
CWE
547 798
Advisory Published
CVE Published
CVE Published
Advisory Published
Updated

CVE-2019-14837

First published: Tue Jul 16 2019(Updated: )

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test' Upstream issue: <a href="https://issues.jboss.org/browse/KEYCLOAK-10780">https://issues.jboss.org/browse/KEYCLOAK-10780</a> Upstream patch: <a href="https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f">https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f</a>

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/rh-sso7-keycloak<0:4.8.15-1.Final_redhat_00001.1.el6
0:4.8.15-1.Final_redhat_00001.1.el6
redhat/rh-sso7-keycloak<0:4.8.15-1.Final_redhat_00001.1.el7
0:4.8.15-1.Final_redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:4.8.15-1.Final_redhat_00001.1.el8
0:4.8.15-1.Final_redhat_00001.1.el8
maven/org.keycloak:keycloak-core<8.0.0
8.0.0
Red Hat Keycloak<8.0.0
Red Hat Single Sign-On=7.3

Remedy

It is not a very straight forward workaround but it is possible to mitigate this by manually editing the default Email ID (service_account_name@placeholder.org) to some valid email ID (abc@gmail.com) in the USER_ENTITY table in the RHSSO database used.

Remedy

https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2019-14837?

    CVE-2019-14837 is rated as a high severity vulnerability due to the potential for password reset exploitation.

  • How do I fix CVE-2019-14837?

    To remediate CVE-2019-14837, upgrade to Keycloak version 8.0.0 or later, or update to the patched versions provided by Red Hat.

  • Which versions of Keycloak are affected by CVE-2019-14837?

    CVE-2019-14837 affects Keycloak versions prior to 8.0.0, including specific Red Hat distributions before version 4.8.15-1.

  • What kind of attack does CVE-2019-14837 allow?

    CVE-2019-14837 allows an attacker with knowledge of a client name to reset passwords and gain unauthorized access to accounts.

  • Is there a known workaround for CVE-2019-14837?

    There are no known workarounds for CVE-2019-14837, so updating to a secure version is necessary.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203