CVE-2019-14837

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

Database specific

{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "fixed": "8.0.0"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:keycloak"
        },
        {
            "cpes": [
                "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "7.3"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:single_sign-on"
        },
        {
            "extracted_events": [
                {
                    "fixed": "8.0.0"
                }
            ],
            "source": "DESCRIPTION"
        }
    ]
}

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type

GIT

Repo

https://github.com/keycloak/keycloak

Events

Introduced

Fixed

9a7c1a91a59ab85e7f8889a505be04a71580777f

Database specific

{
    "source": "REFERENCES"
}

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-beta-1

1.0-beta-2

1.0-beta-4

1.0-final

1.0-rc-1

1.0.0.Final

1.1.0.Beta2

1.3.0.Final

2.*

2.4.0.Test

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14837.json"