{"id":"CVE-2019-14837","details":"A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.","aliases":["GHSA-cf8f-w2c5-p5jr"],"modified":"2026-04-10T08:39:40.266967Z","published":"2020-01-07T17:15:11.033Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837"},{"type":"REPORT","url":"https://issues.jboss.org/browse/KEYCLOAK-10780"},{"type":"FIX","url":"https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keycloak/keycloak","events":[{"introduced":"0"},{"fixed":"5e38182d88de39296de0ed19f8220dc6f60e6a52"},{"fixed":"9a7c1a91a59ab85e7f8889a505be04a71580777f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.0.0"}]}}],"versions":["1.0-alpha-1","1.0-alpha-1-12062013","1.0-alpha-2","1.0-alpha-3","1.0-beta-1","1.0-beta-2","1.0-beta-4","1.0-final","1.0-rc-1","1.0.0.Final","1.1.0.Beta2","1.3.0.Final","2.4.0.Test"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14837.json","vanir_signatures":[{"signature_type":"Function","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/ClientManager.java","function":"enableServiceAccount"},"source":"https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f","digest":{"function_hash":"126741504771978729043369521787213189602","length":2126},"id":"CVE-2019-14837-a2c6884a","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java"},"source":"https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f","digest":{"threshold":0.9,"line_hashes":["295086655340176707572018609400594224648","230923750416719097253666375686696885998","108230210546739027522137190012164367085","78978046634224970440187833274870526012"]},"id":"CVE-2019-14837-a994c281","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/ClientManager.java"},"source":"https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f","digest":{"threshold":0.9,"line_hashes":["200630484469973896925688190004996223352","106990201193737904859435580061190294084","242540592970210906247907060871931382826","313877442859038868708636237180079387935","287591885956678564472639569559874497858","192601162570866188502893375547554967121","268569043936654145204061701475878886854","339493756575458172806346080204906596104"]},"id":"CVE-2019-14837-b3b6e808","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/ClientManager.java","function":"clientIdChanged"},"source":"https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f","digest":{"function_hash":"108986492391179383934949050921934250974","length":389},"id":"CVE-2019-14837-bcaad3e1","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java","function":"serviceAccount"},"source":"https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f","digest":{"function_hash":"240534348026170579334302078948668128437","length":395},"id":"CVE-2019-14837-dc9434cf","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-10T08:39:40Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}