What is CVE-2019-14909?

CVE-2019-14909 is a critical-severity vulnerability in Keycloak, classified under Improper Authentication. CVSS score: 9.3/10. Published 2019-12-04.

How severe is CVE-2019-14909?

Critical severity. CVSS v3 base score is 9.3 out of 10.

Auth bypass in Keycloak

CVE-2019-14909

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

Vulnerability class: Broken Authentication

EPSS: 0.003 (52.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.

Affected products

N/a Keycloak — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication
CWE-305 — Authentication Bypass by Primary Weakness
CWE-592

References

bugzilla.redhat.com/show_bug.cgi (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2019-14909?: CVE-2019-14909 is a critical-severity vulnerability in Keycloak, classified under Improper Authentication. CVSS score: 9.3/10. Published 2019-12-04.
How severe is CVE-2019-14909?: Critical severity. CVSS v3 base score is 9.3 out of 10.