CVE-2019-14837

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type: GIT
Repo: https://github.com/keycloak/keycloak
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9a7c1a91a59ab85e7f8889a505be04a71580777f

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-beta-1

1.0-beta-2

1.0-beta-4

1.0-final

1.0-rc-1

1.0.0.Final

1.1.0.Beta2

1.3.0.Final

2.*

2.4.0.Test

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "target": {
                "function": "enableServiceAccount",
                "file": "services/src/main/java/org/keycloak/services/managers/ClientManager.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
            "digest": {
                "function_hash": "126741504771978729043369521787213189602",
                "length": 2126.0
            },
            "id": "CVE-2019-14837-a2c6884a",
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "deprecated": false,
            "target": {
                "file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
            "digest": {
                "line_hashes": [
                    "295086655340176707572018609400594224648",
                    "230923750416719097253666375686696885998",
                    "108230210546739027522137190012164367085",
                    "78978046634224970440187833274870526012"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2019-14837-a994c281",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "target": {
                "file": "services/src/main/java/org/keycloak/services/managers/ClientManager.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
            "digest": {
                "line_hashes": [
                    "200630484469973896925688190004996223352",
                    "106990201193737904859435580061190294084",
                    "242540592970210906247907060871931382826",
                    "313877442859038868708636237180079387935",
                    "287591885956678564472639569559874497858",
                    "192601162570866188502893375547554967121",
                    "268569043936654145204061701475878886854",
                    "339493756575458172806346080204906596104"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2019-14837-b3b6e808",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "target": {
                "function": "clientIdChanged",
                "file": "services/src/main/java/org/keycloak/services/managers/ClientManager.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
            "digest": {
                "function_hash": "108986492391179383934949050921934250974",
                "length": 389.0
            },
            "id": "CVE-2019-14837-bcaad3e1",
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "deprecated": false,
            "target": {
                "function": "serviceAccount",
                "file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
            "digest": {
                "function_hash": "240534348026170579334302078948668128437",
                "length": 395.0
            },
            "id": "CVE-2019-14837-dc9434cf",
            "signature_version": "v1",
            "signature_type": "Function"
        }
    ]
}