PT-2019-16748 · Red Hat · Keycloak

Published

2019-04-24

Updated

2020-02-10

CVE-2019-3868

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Keycloak versions up to 6.0.0

Description The issue allows an attacker with access to the service provider backend to hijack a user's browser session. This is because Keycloak permits the use of the end user token, such as the JWT access or id token, as the session cookie for browser sessions in OIDC.

Recommendations For versions up to 6.0.0, consider disabling the use of the end user token as the session cookie for browser sessions to prevent session hijacking until a patch is available. Restrict access to the service provider backend to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2019-3868

GHSA-GC52-XJ6P-9PXP

RHSA-2019:0856

RHSA-2019:0857

Affected Products

Keycloak

PT-2019-16748 · Red Hat · Keycloak

CVE-2019-3868

Weakness Enumeration

Related Identifiers

Affected Products

References · 8