Lucene search
Redhat.comRH:CVE-2019-14910HistoryDec 03, 2019 - 3:17 p.m.
CVE-2019-14910
2019-12-0315:17:56
redhat.com
access.redhat.com
27
EPSS
0.002
Percentile
55.6%
A flaw was found in keycloak 7.x where an invalid password is accepted for user authentication when LDAP user federation and STARTTLS is used instead of SSL/TLS from the LDAP server. This can allow an attacker to log into a system using any entry for a password authentication and still gain access to the system.
Mitigation
Disabling STARTTLS will fix the authentication flaw but leave the connection to the LDAP server unencrypted. Utilizing LDAPS will add a layer of encryption back to the LDAP connection but only at the SSLv3 level which also poses problems in and of itself.
Related
cvelist
cvelist
CVE-2019-14910
2019-12-05 14:16:00
github
github
Keycloak Authentication Error
2022-05-24 17:02:42
prion
prion
Authentication flaw
2019-12-05 15:15:00
osv
osv
CVE-2019-14910
2019-12-05 15:15:11
Keycloak Authentication Error
2022-05-24 17:02:42
symantec
symantec
Redhat KeyCloak CVE-2019-14910 Authentication Bypass Vulnerability
2019-12-03 00:00:00
cve
cve
CVE-2019-14910
2019-12-05 15:15:11
nvd
nvd
CVE-2019-14910
2019-12-05 15:15:11