[ASA-202005-8] keycloak: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Wed May 20 15:58:34 UTC 2020


Arch Linux Security Advisory ASA-202005-8
=========================================

Severity: High
Date    : 2020-05-16
CVE-ID  : CVE-2020-1714
Package : keycloak
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1158

Summary
=======

The package keycloak before version 10.0.1-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 10.0.1-1.

# pacman -Syu "keycloak>=10.0.1-1"

The problem has been fixed upstream in version 10.0.1.

Workaround
==========

None.

Description
===========

A flaw was found in Keycloak, where the code base contains usages of
ObjectInputStream without type checks. This flaw allows an attacker to
inject arbitrarily serialized Java Objects, which would then get
deserialized in a privileged context and potentially lead to remote
code execution.

Impact
======

An authenticated remote attacker could execute arbitrary code by
injecting values into a custom attribute.

References
==========

https://bugs.archlinux.org/task/66642
https://github.com/keycloak/keycloak/pull/7053
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
https://security.archlinux.org/CVE-2020-1714

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20200520/119dfbd7/attachment-0001.sig>


More information about the arch-security mailing list