Vulnerability Description
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Keycloak | < 11.0.0 |
| Redhat | Decision Manager | 7.0 |
| Redhat | Jboss Fuse | 7.0.0 |
| Redhat | Openshift Application Runtimes | - |
| Redhat | Process Automation | 7.0 |
| Redhat | Single Sign-On | 7.0 |
| Quarkus | Quarkus | <= 1.4.2 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714Issue TrackingVendor Advisory
- https://github.com/keycloak/keycloak/pull/7053PatchThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714Issue TrackingVendor Advisory
- https://github.com/keycloak/keycloak/pull/7053PatchThird Party Advisory
FAQ
What is CVE-2020-1714?
CVE-2020-1714 is a vulnerability with a CVSS score of 8.8 (HIGH). A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Obj...
How severe is CVE-2020-1714?
CVE-2020-1714 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-1714?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Decision Manager, Redhat Jboss Fuse, Redhat Openshift Application Runtimes, Redhat Process Automation.