CVE-2020-1714 remote code execution before Keycloak 11

Hi, I saw CVE-2020-1714 went up almost two weeks ago, mentioning a potential remote code execution exploit in versions of Keycloak before 11.0.

Given the latest version is 10.0.1, released before this CVE was published and the CVE doesn’t mention that release, I wonder if this version is vulnerable? and if so, when do you expect a fix to this very severe vulnerability?

1 Like

All versions seem to be vulnerable. A fix is in progress or seems to be on https://github.com/keycloak/keycloak/pull/7053

Thanks for the link. Was looking in Jira but didn’t find anything there.

When will version 11.0.0 be released?
We are currently on Keycloak version 8.0.2 and do not see the point in upgrading to 10.0.2 since same CVEs exist in latest version.

When will version 11.0.0 be released? Lot of CVEs exist in latest version.
We want to use keycloak in production and this CVE’s in latest version is holding us back to deploy. Please release keycloak with resolving all CVE’s ASAP.
Looking forward on this. We recommend your product , its very useful for future projects.

Thanks in Advance!

A fix has been merged 2 days ago in https://github.com/keycloak/keycloak/pull/7138, you can always create a build yourself from master until a final release if you really need it.