CVE-2019-10201

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201 Issue Tracking Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.3.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-08-14 17:15

Updated : 2024-02-28 17:08


NVD link : CVE-2019-10201

Mitre link : CVE-2019-10201

CVE.ORG link : CVE-2019-10201


JSON object : View

Products Affected

redhat

  • single_sign-on
  • keycloak
CWE
CWE-347

Improper Verification of Cryptographic Signature

CWE-592

DEPRECATED: Authentication Bypass Issues