CVE-2019-14837: Use of Hard-coded Credentials

May 24, 2022 (updated September 12, 2022)

A flaw was found in keycloack before version 8.0.0. The owner of ‘placeholder.org’ domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name ’test’ the email address will be ‘service-account-test@placeholder.org’.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837
github.com/advisories/GHSA-cf8f-w2c5-p5jr
github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f
issues.jboss.org/browse/KEYCLOAK-10780
nvd.nist.gov/vuln/detail/CVE-2019-14837

Detect and mitigate CVE-2019-14837 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →