CVE-2019-10157 — Insufficient Verification of Data Authenticity in Redhat Keycloak

CWE-345 — Insufficient Verification of Data Authenticity CWE-287 — Improper Authentication6 documents6 sources

Severity

5.5MEDIUMNVD

CNA4.7

EPSS

0.0%

top 95.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Redhat Single Sign-on RED HAT Keycloak

Timeline

PublishedJun 12

Latest updateJun 13

Description

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/keycloak< 4.8.3

▶CVEListV5red_hat/keycloak4.8.3

▶NVDredhat/single_sign-on< 7.3.2

🔴Vulnerability Details

GHSA

Forced Logout in keycloak-connect↗2019-06-13

▶

OSV

Forced Logout in keycloak-connect↗2019-06-13

▶

CVEList

CVE-2019-10157: It was found that Keycloak's Node↗2019-06-12

▶

📋Vendor Advisories

Red Hat

keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.↗2019-06-11

▶

💬Community

Bugzilla

CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.↗2019-04-25

▶