NewsSecurity Vulnerabilities

Keycloak LDAP authentication vulnerability [CVE-2019-14910]

A vulnerability has been found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

Mitigation:

* If possible use SSL (ldaps) instead

* Disable StartTLS

Further details here

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.