CVE-2019-14837
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-14837
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14837.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-14837
- Aliases
- Downstream
- Published
- 2020-01-07T17:15:11Z
- Modified
- 2025-10-21T04:47:57.342347Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.
- References
Affected packages
Git / github.com/keycloak/keycloak
Affected ranges
- Type
- GIT
- Repo
- https://github.com/keycloak/keycloak
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-beta-1
1.0-beta-2
1.0-beta-4
1.0-final
1.0-rc-1
1.0.0.Final
1.1.0.Beta2
1.3.0.Final
2.*
2.4.0.Test
Database specific
vanir_signatures
[
{
"id": "CVE-2019-14837-a2c6884a",
"target": {
"file": "services/src/main/java/org/keycloak/services/managers/ClientManager.java",
"function": "enableServiceAccount"
},
"source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
"signature_type": "Function",
"digest": {
"function_hash": "126741504771978729043369521787213189602",
"length": 2126.0
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2019-14837-a994c281",
"target": {
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java"
},
"source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"295086655340176707572018609400594224648",
"230923750416719097253666375686696885998",
"108230210546739027522137190012164367085",
"78978046634224970440187833274870526012"
]
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2019-14837-b3b6e808",
"target": {
"file": "services/src/main/java/org/keycloak/services/managers/ClientManager.java"
},
"source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"200630484469973896925688190004996223352",
"106990201193737904859435580061190294084",
"242540592970210906247907060871931382826",
"313877442859038868708636237180079387935",
"287591885956678564472639569559874497858",
"192601162570866188502893375547554967121",
"268569043936654145204061701475878886854",
"339493756575458172806346080204906596104"
]
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2019-14837-bcaad3e1",
"target": {
"file": "services/src/main/java/org/keycloak/services/managers/ClientManager.java",
"function": "clientIdChanged"
},
"source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
"signature_type": "Function",
"digest": {
"function_hash": "108986492391179383934949050921934250974",
"length": 389.0
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2019-14837-dc9434cf",
"target": {
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java",
"function": "serviceAccount"
},
"source": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f",
"signature_type": "Function",
"digest": {
"function_hash": "240534348026170579334302078948668128437",
"length": 395.0
},
"deprecated": false,
"signature_version": "v1"
}
]