CVE-2019-14909

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

CVSS v3 8.3 HIGH
CVSS v2.0 7.5 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14909	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:keycloak:7.0.0:::::::*
	cpe:2.3:a:redhat:keycloak:7.0.1:::::::*

History

No history.

Information

Published : 2019-12-04 15:15

Updated : 2019-12-16 16:35

NVD link : CVE-2019-14909

Mitre link : CVE-2019-14909

CVE.ORG link : CVE-2019-14909

JSON object : View

Products Affected

redhat

keycloak

CWE

CWE-287

Improper Authentication

CWE-305

Authentication Bypass by Primary Weakness

CWE-592

DEPRECATED: Authentication Bypass Issues

{"id": "CVE-2019-14909", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 3.9}]}, "published": "2019-12-04T15:15:11.130", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14909", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-592"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak versiones 7.x donde un tipo de enlace de user federation LDAP es none (enlace an\u00f3nimo LDAP), y ser\u00e1 aceptada cualquier contrase\u00f1a, no v\u00e1lida o v\u00e1lida."}], "lastModified": "2019-12-16T16:35:08.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:7.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C86D8AEF-DBC7-4765-A20A-A304B3BFCE8D"}, {"criteria": "cpe:2.3:a:redhat:keycloak:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81B631C5-DBD4-4055-ADF3-4B2FECACE04F"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}