CVE-2020-1714

HIGH

Keycloak <11.0.0 - Code Injection

Title source: llm

Description

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

References (2)

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714

[Patch, Third Party Advisory] https://github.com/keycloak/keycloak/pull/7053

Scores

CVSS v3 8.8

EPSS 0.0215

EPSS Percentile 84.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-20

Status published

Affected Products (9)

redhat/keycloak < 11.0.0

redhat/decision_manager

redhat/jboss_fuse

redhat/openshift_application_runtimes

redhat/process_automation

redhat/single_sign-on

quarkus/quarkus < 1.4.2

org.keycloak/keycloak-core < 11.0.0Maven

org.keycloak/keycloak-common < 11.0.0Maven

Timeline

Published May 13, 2020

Tracked Since Feb 18, 2026