Main Vulnerability Database Vulnerabilities #VU21706

Insufficiently protected credentials in Keycloak - CVE-2019-3868

Published: October 10, 2019

Vulnerability identifier: #VU21706

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-3868

CWE-ID: CWE-522

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote attacker to hijack user's session.

The vulnerability exists due to software may use the end user token (access or id token JWT) as a session cookie for browser sessions for OIDC. A remote attacker that has access to the service provider backend can hijack the user's browser session and gain unauthorized access to the application.

How to mitigate CVE-2019-3868

Install updates from vendor's website.

Sources

https://access.redhat.com/errata/RHSA-2019:1140
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868

Insufficiently protected credentials in Keycloak - CVE-2019-3868

Detailed vulnerability description

How to mitigate CVE-2019-3868

Sources

Please verify you're human