{"containers": {"cna": {"affected": [{"product": "Keycloak", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-305", "description": "CWE-305", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-592", "description": "CWE-592", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-05T14:16:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:34:51.746Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14910", "datePublished": "2019-12-05T14:16:00", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:34:51.746Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C86D8AEF-DBC7-4765-A20A-A304B3BFCE8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:keycloak:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "81B631C5-DBD4-4055-ADF3-4B2FECACE04F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en keycloak versiones 7.x, cuando keycloak es configurado con LDAP user federation y StartTLS es usado en lugar de SSL/TLS desde el servidor LDAP (ldaps), en este caso la autenticaci\u00f3n del usuario tiene \u00e9xito inclusive si una contrase\u00f1a no v\u00e1lida se ha ingresado."}], "id": "CVE-2019-14910", "lastModified": "2020-10-09T13:33:45.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-05T15:15:11.157", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-592"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Tero Saarni for reporting this issue.", "bugzilla": {"description": "Keycloak: LDAP authentication accepts invalid passwords when using StartTLS", "id": "1778265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1778265"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-287->CWE-305->CWE-592", "details": ["A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.", "A flaw was found in keycloak 7.x where an invalid password is accepted for user authentication when LDAP user federation and STARTTLS is used instead of SSL/TLS from the LDAP server. This can allow an attacker to log into a system using any entry for a password authentication and still gain access to the system."], "mitigation": {"lang": "en:us", "value": "Disabling STARTTLS will fix the authentication flaw but leave the connection to the LDAP server unencrypted. Utilizing LDAPS will add a layer of encryption back to the LDAP connection but only at the SSLv3 level which also poses problems in and of itself."}, "name": "CVE-2019-14910", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "impact": "important", "package_name": "keycloak", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2019-12-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14910\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14910"], "statement": "This flaw does not affect Red Hat's Single Sign On (RHSSO) product and, thus, no patch will be forthcoming.", "threat_severity": "Important"}