CVE-2020-14389 and KeyCloak 10.x

Hello KeyCloak Community,

We noticed that a fix for CVE-2020-14389 has been released for the branch 12.x [1], but this has not been backported to the branch 10.x. Are you planning to backport it ? And if so, when ?

We are also wondering when the support for the branch 10.x will end ?

[1] 1875843 – (CVE-2020-14389) CVE-2020-14389 keycloak: user can manage resources with just "view-profile" role using new Account Console

Best,
Laurent

IMHO it won’t be backported. There is no concept of LTS releases for the Keycloak: LTS policy and supported versions, recommended versions - #3 by ieugen
So you have to use the latest release.

Thank you for this clarification jangaraj :slight_smile: