CVE-2020-14302 and CVE-2020-10770 before Keycloak 13.0.0

Hello everyone,

In both cases “A flaw was found in Keycloak before 13.0.0

  • CVE-2020-14302
  • CVE-2020-10770

On the other hand from here it’s evident, that both CVEs were fixed in version 13.0.0, but from what I understood, this version is unreleased yet.

I decided to use one of the latest version of Keycloak either 12.0.1 or 12.0.2 for my project. How can I figure out that these versions are fixed also and is it even possible?

Thank you.

I found this link: Update Keycloak to 12.0.0+ · Issue #88 · strimzi/strimzi-kafka-oauth · GitHub

Does it mean that list of all CVEs mentioned in this #88 issue are fixed from version 12.0.1 up to 12.0.2 etc…?

Please, if some responsible person read this post, can you let me know, how I can figure out, if some specific CVE been patched also for specific version of Keycloak?

Because till now, nobody was able to answer me how I can identify if patch for unreleased version 13.0.0 is also backported into latest version 12.0.x.


@wh33zy did you get an answer to you questions?

We are in the process of adopting Keycloak 11.0.3, however just recently we paid attention to the vulnerabilities…our scan yields this list:


Because of this we are thinking of upgrading to version 12.0.4, however even in that version the following are reported:

Does anyone know whether there is a chance these issues to be fixed in versions 11.x or 12.x ?


1 Like

If they don’t get fixed in 12.x, do we have at least a planned release date for 13.0.0?