CVE-2019-14909

HIGH

Keycloak 7.x - Auth Bypass

Title source: llm

Description

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

References (1)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14909

Scores

CVSS v3 8.3

EPSS 0.0029

EPSS Percentile 52.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Details

CWE

CWE-305 CWE-287 CWE-592

Status published

Products (3)

org.keycloak/keycloak-parent 7.0.0Maven

redhat/keycloak 7.0.0

redhat/keycloak 7.0.1

Published Dec 04, 2019

Tracked Since Feb 18, 2026