CVE-2019-14837 — Vulnetix

CVE-2019-14837 PUBLISHED CVSS 9.1 CRITICAL

Reported by redhat · Published January 7, 2020

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

Risk Scores

CVSS 3.0

9.1

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

Vendor	Product	Versions
Red Hat	keycloak	before 8.0.0
Maven	org.keycloak:keycloak-core	0, 0
Red Hat	keycloak	before 8.0.0, before 8.0.0

Exploit Intelligence

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837 (nist-nvd)

Timeline

Jan 7, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Sep 4, 2022 EPSS Score
Jan 8, 2023 EPSS Score

References

x_refsource_CONFIRM
x_refsource_CONFIRM
x_refsource_CONFIRM
https://nvd.nist.gov/vuln/detail/CVE-2019-14837 advisory
https://github.com/advisories/GHSA-cf8f-w2c5-p5jr advisory

Open in Interactive Console →