Miggo Logo

CVE-2019-14820: Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.53675%
Published
4/15/2020
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-coremaven< 8.0.08.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch removes createCallbackId and related callback_id tracking from the JavaScript adapter. This code was likely part of the endpoint URL generation mechanism that made internal endpoints accessible. The removal in the security patch indicates these functions were involved in the information exposure vulnerability. During exploitation, these functions would be invoked when processing crafted URLs targeting adapter endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s *oun* t**t k*y*lo*k ***or* v*rsion *.*.* *xpos*s int*rn*l ***pt*r *n*points in or*.k*y*lo*k.*onst*nts.***pt*r*onst*nts, w*i** **n ** invok** vi* * sp**i*lly-*r**t** URL. T*is vuln*r**ility *oul* *llow *n *tt**k*r to ****ss un*ut*oriz** in*orm*

Reasoning

T** p*t** r*mov*s `*r**t***ll***kI*` *n* r*l*t** `**ll***k_i*` tr**kin* *rom t** J*v*S*ript ***pt*r. T*is *o** w*s lik*ly p*rt o* t** *n*point URL **n*r*tion m****nism t**t m*** int*rn*l *n*points ****ssi*l*. T** r*mov*l in t** s**urity p*t** in*i**t