CVE-2020-1714

HIGH

Keycloak < 11.0.0 - Remote Code Execution via Unsafe Deserialization

Title source: llm

Description

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

References (2)

Core 2

Core References

Issue Tracking, Vendor Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714

Patch, Third Party Advisory x_refsource_confirm

https://github.com/keycloak/keycloak/pull/7053

Scores

CVSS v3 8.8

EPSS 0.0215

EPSS Percentile 84.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (9)

org.keycloak/keycloak-common 0 - 11.0.0Maven

org.keycloak/keycloak-core 0 - 11.0.0Maven

quarkus/quarkus < 1.4.2

redhat/decision_manager 7.0

redhat/jboss_fuse 7.0.0

redhat/keycloak < 11.0.0

redhat/openshift_application_runtimes

redhat/process_automation 7.0

redhat/single_sign-on 7.0

Published May 13, 2020

Tracked Since Feb 18, 2026