6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
81.9%
Severity: High
Date : 2020-05-16
CVE-ID : CVE-2020-1714
Package : keycloak
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1158
The package keycloak before version 10.0.1-1 is vulnerable to arbitrary
code execution.
Upgrade to 10.0.1-1.
The problem has been fixed upstream in version 10.0.1.
None.
A flaw was found in Keycloak, where the code base contains usages of
ObjectInputStream without type checks. This flaw allows an attacker to
inject arbitrarily serialized Java Objects, which would then get
deserialized in a privileged context and potentially lead to remote
code execution.
An authenticated remote attacker could execute arbitrary code by
injecting values into a custom attribute.
https://bugs.archlinux.org/task/66642
https://github.com/keycloak/keycloak/pull/7053
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
https://security.archlinux.org/CVE-2020-1714
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
81.9%