CVE-2020-1714
Current Description
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Basic Data
| Published | May 13, 2020 |
|---|
| Last Modified | May 15, 2020 |
|---|
| Assigner | cve@mitre.org |
|---|
| Data Type | CVE |
|---|
| Data Format | MITRE |
|---|
| Data Version | 4.0 |
|---|
| Problem Type | CWE-20 |
|---|
| CVE Data Version | 4.0 |
|---|
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|
| CVSS 2 - Vector String | AV:N/AC:L/Au:S/C:P/I:P/A:P |
|---|
| CVSS 2 - Access Vector | NETWORK |
|---|
| CVSS 2 - Access Complexity | LOW |
|---|
| CVSS 2 - Authentication | SINGLE |
|---|
| CVSS 2 - Confidentiality Impact | PARTIAL |
|---|
| CVSS 2 - Availability Impact | PARTIAL |
|---|
| CVSS 2 - Base Score | 6.5 |
|---|
| Severity | MEDIUM |
|---|
| Exploitability Score | 8.0 |
|---|
| Impact Score | 6.4 |
|---|
| Obtain All Privilege | false |
|---|
| Obtain User Privilege | false |
|---|
| Obtain Other Privilege | false |
|---|
Base Metric V3
No data provided.
Configurations
-
OR - Configuration 1
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Redhat | Keycloak | * | * | * | * | * | * | * | * | � | � | � | 11.0.0 |
-
OR - Configuration 2
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Redhat | Decision Manager | 7.0 | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Application | Redhat | Jboss Fuse | 7.0.0 | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Application | Redhat | Openshift Application Runtimes | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Application | Redhat | Process Automation | 7.0 | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Application | Redhat | Single Sign-on | 7.0 | * | * | * | * | * | * | * | � | � | � | � |
Vulnerable Software List
References
| Name | Source | URL | Tags |
|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 | CONFIRM | Issue Tracking Third Party Advisory |
| https://github.com/keycloak/keycloak/pull/7053 | https://github.com/keycloak/keycloak/pull/7053 | CONFIRM | Patch Third Party Advisory |
Follow @discotekdotca