### Vulnerability Key Information - **CVE ID**: CVE-2020-1714 - **Vulnerability Type**: Lack of checks in ObjectInputStream leading to Remote Code Execution - **Reported Time**: 2019-05-03 10:27 UTC - **Status**: CLOSED ERRATA - **Severity**: high - **Affected Product**: Security Response - **Fixed Version**: keycloak 11.0.0 - **Related Links**: - https://github.com/keycloak/keycloak/pull/7053 - https://issues.jboss.org/browse/KEYCLOAK-10162 ### Vulnerability Description The Keycloak codebase contains instances where ObjectInputStream is used without type checking. Attackers could exploit this vulnerability to inject arbitrary serialized Java objects, which would be deserialized in an elevated privilege context, leading to remote code execution. ### Fix Information - **Fix IDs**: - RHSA-2020:2813 - RHSA-2020:2814 - RHSA-2020:2816 - RHSA-2020:2905 - RHSA-2020:3017 - RHSA-2020:3675 - RHSA-2020:3678 - RHSA-2020:4252 - RHSA-2020:5568 ### Affected Products - Red Hat Single Sign-On 7.4.1 - Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6, 7, 8 - Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6, 7 - Red Hat Openshift Application Runtimes - Red Hat Runtimes Spring Boot 2.1.15 - Red Hat Decision Manager - Red Hat Process Automation - Red Hat build of Quarkus 1.7.5 - Red Hat Fuse 7.8.0