[ASA-202005-8] keycloak: arbitrary code execution
rgacogne at archlinux.org
Wed May 20 15:58:34 UTC 2020
Arch Linux Security Advisory ASA-202005-8
Date : 2020-05-16
CVE-ID : CVE-2020-1714
Package : keycloak
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1158
The package keycloak before version 10.0.1-1 is vulnerable to arbitrary
Upgrade to 10.0.1-1.
# pacman -Syu "keycloak>=10.0.1-1"
The problem has been fixed upstream in version 10.0.1.
A flaw was found in Keycloak, where the code base contains usages of
ObjectInputStream without type checks. This flaw allows an attacker to
inject arbitrarily serialized Java Objects, which would then get
deserialized in a privileged context and potentially lead to remote
An authenticated remote attacker could execute arbitrary code by
injecting values into a custom attribute.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security