CVE-2019-10157

Name of the Vulnerable Software and Affected Versions: Keycloak versions prior to 4.8.3 keycloak-connect versions prior to 4.4.0

Description: The issue is related to the improper verification of web tokens received from the server in the backchannel logout process. An attacker with local access could construct a malicious web token by setting an NBF parameter, potentially preventing user access indefinitely. The vulnerability also affects the /k logout route, where the failure to validate JWT signatures allows attackers to logout users and craft malicious JWTs.

Recommendations: For Keycloak versions prior to 4.8.3, upgrade to version 4.8.3 or later. For keycloak-connect versions prior to 4.4.0, upgrade to version 4.4.0 or later. As a temporary workaround, consider restricting access to the /k logout route until a patch is available.