PT-2019-11602 · Red Hat · Keycloak+1
Published
2019-06-12
·
Updated
2019-10-09
·
CVE-2019-10157
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Keycloak versions prior to 4.8.3
keycloak-connect versions prior to 4.4.0
Description:
The issue is related to the improper verification of web tokens received from the server in the backchannel logout process. An attacker with local access could construct a malicious web token by setting an NBF parameter, potentially preventing user access indefinitely. The vulnerability also affects the
/k logout route, where the failure to validate JWT signatures allows attackers to logout users and craft malicious JWTs.Recommendations:
For Keycloak versions prior to 4.8.3, upgrade to version 4.8.3 or later.
For keycloak-connect versions prior to 4.4.0, upgrade to version 4.4.0 or later.
As a temporary workaround, consider restricting access to the
/k logout route until a patch is available.Fix
Insufficient Verification of Data Authenticity
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Keycloak
Keycloak-Connect