CVE-2019-14910
CRITICALKeycloak 7.x - Improper Certificate Validation in LDAP StartTLS Authentication
Title source: llmDescription
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
References (1)
Core 1
Core References
Issue Tracking, Mitigation, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910
Scores
CVSS v3
9.8
EPSS
0.0105
EPSS Percentile
59.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-295
CWE-305
CWE-287
CWE-592
Status
published
Products (3)
org.keycloak/keycloak-parent
7.0.0Maven
redhat/keycloak
7.0.0
redhat/keycloak
7.0.1
Published
Dec 05, 2019
Tracked Since
Feb 18, 2026