CVE-2019-10157
published 2019-06-12CVE-2019-10157: It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An…
medium5.5CVSS 3.0
AVLACLPRLUINSUCNINAH
It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| red_hat | keycloak | — | — |
| redhat | keycloak | < 4.8.3 | 4.8.3 |
| redhat | single_sign-on | < 7.3.2 | 7.3.2 |