{"containers": {"cna": {"affected": [{"product": "keycloak", "vendor": "keycloak", "versions": [{"status": "affected", "version": "fixed in 8.0.0"}]}], "descriptions": [{"lang": "en", "value": "It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-08T14:50:44", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-14820", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "keycloak", "version": {"version_data": [{"version_value": "fixed in 8.0.0"}]}}]}, "vendor_name": "keycloak"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."}]}, "impact": {"cvss": [[{"vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.126Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14820", "datePublished": "2020-01-08T14:50:44", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.126Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "637DA24E-DD9D-4895-8335-7C6A2AB6472F", "versionEndExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1ABA871-3271-48E2-A69C-5AD70AF94E53", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."}, {"lang": "es", "value": "Se descubri\u00f3 que keycloak versiones anteriores la versi\u00f3n 8.0.0, expone los endpoints del adaptador interno en org.keycloak.constants.AdapterConstants, que pueden ser invocadas por medio de una URL especialmente dise\u00f1ada. Esta vulnerabilidad podr\u00eda permitir a un atacante acceder a informaci\u00f3n no autorizada."}], "id": "CVE-2019-14820", "lastModified": "2021-10-29T16:01:01.023", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-08T15:15:11.260", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2019:3048", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package": "keycloak-adapter-sso7_3-eap6-0:4.8.13-1.Final_redhat_00001.1.ep6.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3048", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package": "keycloak-adapter-sso7_3-eap6-0:4.8.13-1.Final_redhat_00001.1.ep6.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3049", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package": "eap7-keycloak-adapter-sso7_3-0:4.8.13-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3049", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package": "eap7-keycloak-adapter-sso7_3-0:4.8.13-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3049", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package": "eap7-keycloak-adapter-sso7_3-0:4.8.13-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3050", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.3", "package": "keycloak", "product_name": "Red Hat Single Sign-On 7.3.4 zip", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3044", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el6", "package": "rh-sso7-keycloak-0:4.8.13-1.Final_redhat_00001.1.el6sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 6", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3045", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el7", "package": "rh-sso7-keycloak-0:4.8.13-1.Final_redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 7", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3045", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el7", "package": "rh-sso7-libunix-dbus-java-0:0.8.0-2.el7sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 7", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2019:3046", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el8", "package": "rh-sso7-keycloak-0:4.8.13-1.Final_redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.3 for RHEL 8", "release_date": "2019-10-14T00:00:00Z"}, {"advisory": "RHSA-2020:2067", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "product_name": "Text-Only RHOAR", "release_date": "2020-05-18T00:00:00Z"}], "bugzilla": {"description": "keycloak: adapter endpoints are exposed via arbitrary URLs", "id": "1649870", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1649870"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.", "It was found that keycloak exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."], "name": "CVE-2019-14820", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Out of support scope", "package_name": "keycloak", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "keycloak", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2019-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14820\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14820"], "threat_severity": "Low", "upstream_fix": "keycloak 8.0.0"}