CVE-2020-1714: Improper Input Validation

May 13, 2020 (updated October 19, 2021)

A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
github.com/keycloak/keycloak/pull/7053
nvd.nist.gov/vuln/detail/CVE-2020-1714

Detect and mitigate CVE-2020-1714 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →