CVE-2019-14910 : What You Need to Know
Learn about CVE-2019-14910, a critical security flaw in Keycloak 7.x allowing successful user authentication with incorrect passwords in LDAP user federation using StartTLS. Find mitigation steps and preventive measures.
A security flaw was discovered in Keycloak 7.x that affects user authentication when set up with LDAP user federation using StartTLS instead of SSL/TLS.
Understanding CVE-2019-14910
This CVE involves a critical security vulnerability in Keycloak 7.x related to LDAP user federation configuration.
What is CVE-2019-14910?
The vulnerability allows successful user authentication even with an incorrect password when Keycloak is configured with LDAP user federation using StartTLS instead of LDAPS.
The Impact of CVE-2019-14910
- Base Score: 9.3 (Critical)
- Confidentiality Impact: High
- Integrity Impact: Low
- Attack Vector: Network
- Attack Complexity: Low
- Scope: Changed
Technical Details of CVE-2019-14910
This section provides detailed technical information about the CVE.
Vulnerability Description
The flaw in Keycloak 7.x allows successful user authentication with an incorrect password when configured with LDAP user federation using StartTLS.
Affected Systems and Versions
- Affected Product: Keycloak
- Affected Version: 7.x
Exploitation Mechanism
The vulnerability is exploited by configuring Keycloak with LDAP user federation using StartTLS instead of LDAPS, allowing successful authentication with incorrect passwords.
Mitigation and Prevention
Protect your systems from CVE-2019-14910 with the following steps:
Immediate Steps to Take
- Disable StartTLS and switch to LDAPS for LDAP user federation in Keycloak.
- Monitor authentication logs for any unusual activity.
Long-Term Security Practices
- Regularly review and update LDAP configurations for security best practices.
- Conduct security audits to identify and address any vulnerabilities.
Patching and Updates
- Apply patches or updates provided by Keycloak to address the security flaw.