CVE-2020-1714
Last modified
CVE-2020-1714 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.. EPSS estimates a 2.60% chance of exploitation in the next 30 days.
Description
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Keycloak | < 11.0.0 |
| Redhat | Decision Manager | 7.0 |
| Redhat | Jboss Fuse | 7.0.0 |
| Redhat | Openshift Application Runtimes | All versions |
| Redhat | Process Automation | 7.0 |
| Redhat | Single Sign-On | 7.0 |
| Quarkus | Quarkus | <= 1.4.2 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714Issue Tracking, Vendor Advisory
- https://github.com/keycloak/keycloak/pull/7053Patch, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714Issue Tracking, Vendor Advisory
- https://github.com/keycloak/keycloak/pull/7053Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-1714?
How severe is CVE-2020-1714?
How do I fix CVE-2020-1714?
Are you affected by CVE-2020-1714?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST