{
  "threat_severity" : "Moderate",
  "public_date" : "2019-10-14T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: cross-realm user access auth bypass",
    "id" : "1749487",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1749487"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-863",
  "details" : [ "A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.", "A flaw was found in the Keycloak REST API where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Runtimes Spring Boot 2.1.12",
    "release_date" : "2020-06-04T00:00:00Z",
    "advisory" : "RHSA-2020:2366",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "keycloak"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3.4 zip",
    "release_date" : "2019-10-14T00:00:00Z",
    "advisory" : "RHSA-2019:3050",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 6",
    "release_date" : "2019-10-14T00:00:00Z",
    "advisory" : "RHSA-2019:3044",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6",
    "package" : "rh-sso7-keycloak-0:4.8.13-1.Final_redhat_00001.1.el6sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 7",
    "release_date" : "2019-10-14T00:00:00Z",
    "advisory" : "RHSA-2019:3045",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-keycloak-0:4.8.13-1.Final_redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 7",
    "release_date" : "2019-10-14T00:00:00Z",
    "advisory" : "RHSA-2019:3045",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-libunix-dbus-java-0:0.8.0-2.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3 for RHEL 8",
    "release_date" : "2019-10-14T00:00:00Z",
    "advisory" : "RHSA-2019:3046",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-keycloak-0:4.8.13-1.Final_redhat_00001.1.el8sso"
  }, {
    "product_name" : "Text-Only RHOAR",
    "release_date" : "2020-05-18T00:00:00Z",
    "advisory" : "RHSA-2020:2067",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14832\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14832" ],
  "name" : "CVE-2019-14832",
  "csaw" : false
}