CVE-2020-1714
keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Se detectó un fallo en Keycloak versiones anteriores a 11.0.0, donde la base de código contiene usos de la función ObjectInputStream sin ningún tipo de comprobaciones. Este fallo permite a un atacante inyectar Objetos Java serializados arbitrariamente, que luego se deserializarán en un contexto privilegiado y conlleva potencialmente a una ejecución de código remota.
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.8.1 serves as an update to Red Hat Decision Manager 7.8.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include XML injection and code execution vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-27 CVE Reserved
- 2020-05-13 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/keycloak/keycloak/pull/7053 | 2021-10-19 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 | 2021-10-19 | |
| https://access.redhat.com/security/cve/CVE-2020-1714 | 2020-12-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1705975 | 2020-12-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Keycloak Search vendor "Redhat" for product "Keycloak" | < 11.0.0 Search vendor "Redhat" for product "Keycloak" and version " < 11.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Decision Manager Search vendor "Redhat" for product "Decision Manager" | 7.0 Search vendor "Redhat" for product "Decision Manager" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse" | 7.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Process Automation Search vendor "Redhat" for product "Process Automation" | 7.0 Search vendor "Redhat" for product "Process Automation" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0" | - |
Affected
| ||||||
| Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | <= 1.4.2 Search vendor "Quarkus" for product "Quarkus" and version " <= 1.4.2" | - |
Affected
| ||||||