CVE-2019-14910

CRITICAL

Keycloak 7.x - Auth Bypass

Title source: llm

Description

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

References (1)

[Issue Tracking, Mitigation, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910

Scores

CVSS v3 9.8

EPSS 0.0042

EPSS Percentile 61.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-295 CWE-305 CWE-287 CWE-592

Status published

Products (3)

org.keycloak/keycloak-parent 7.0.0Maven

redhat/keycloak 7.0.0

redhat/keycloak 7.0.1

Published Dec 05, 2019

Tracked Since Feb 18, 2026