PT-2019-16748 · Red Hat · Keycloak

Publicado

2019-04-24

Atualizado

2020-02-10

CVE-2019-3868

CVSS v2.0

5.5

Média

Vetor

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Keycloak versions up to 6.0.0

Description The issue allows an attacker with access to the service provider backend to hijack a user's browser session. This is because Keycloak permits the use of the end user token, such as the JWT access or id token, as the session cookie for browser sessions in OIDC.

Recommendations For versions up to 6.0.0, consider disabling the use of the end user token as the session cookie for browser sessions to prevent session hijacking until a patch is available. Restrict access to the service provider backend to minimize the risk of exploitation.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2019-3868

GHSA-GC52-XJ6P-9PXP

RHSA-2019:0856

RHSA-2019:0857

Produtos afetados

Keycloak

PT-2019-16748 · Red Hat · Keycloak

CVE-2019-3868

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8