ASA-202005-8 log generated external raw
[ASA-202005-8] keycloak: arbitrary code execution |
---|
Arch Linux Security Advisory ASA-202005-8
=========================================
Severity: High
Date : 2020-05-16
CVE-ID : CVE-2020-1714
Package : keycloak
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1158
Summary
=======
The package keycloak before version 10.0.1-1 is vulnerable to arbitrary
code execution.
Resolution
==========
Upgrade to 10.0.1-1.
# pacman -Syu "keycloak>=10.0.1-1"
The problem has been fixed upstream in version 10.0.1.
Workaround
==========
None.
Description
===========
A flaw was found in Keycloak, where the code base contains usages of
ObjectInputStream without type checks. This flaw allows an attacker to
inject arbitrarily serialized Java Objects, which would then get
deserialized in a privileged context and potentially lead to remote
code execution.
Impact
======
An authenticated remote attacker could execute arbitrary code by
injecting values into a custom attribute.
References
==========
https://bugs.archlinux.org/task/66642
https://github.com/keycloak/keycloak/pull/7053
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
https://security.archlinux.org/CVE-2020-1714
|