CVE-2019-14837

Use of Hard-coded Credentials in maven/org.keycloak/keycloak-core

Identifiers

GHSA-cf8f-w2c5-p5jr, CVE-2019-14837

Package Slug

maven/org.keycloak/keycloak-core

Vulnerability

Use of Hard-coded Credentials

Description

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

Affected Versions

All versions before 8.0.0

Solution

Upgrade to version 8.0.0 or above.

Last Modified

2022-09-12

source