CVE-2020-1714

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

Published: May 13, 2020
Updated: May 9, 2024
CVE: CVE-2020-1714
GHSA: GHSA-m6mm-q862-j366
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
redhat / keycloak	-	11.0.0
redhat / decision_manager	7.0	7.0.x
redhat / single_sign-on	7.0	7.0.x
redhat / jboss_fuse	7.0.0	7.0.0.x
redhat / process_automation	7.0	7.0.x
quarkus / quarkus	-	1.4.2.x
org.keycloak / keycloak-parent	-	11.0.0

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
https://github.com/keycloak/keycloak/pull/7053

Vulnerability Database

289,598

CVE-2020-1714