CVE-2019-10199Cross-Site Request Forgery in Redhat Keycloak

CWE-352Cross-Site Request ForgeryCWE-20Improper Input Validation6 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 73.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat KeycloakRED HAT Keycloak
Timeline
PublishedAug 14
Latest updateSep 23

Description

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDredhat/keycloak6.0.1
CVEListV5red_hat/keycloakup to keycloak 6.0.1

🔴Vulnerability Details

3
GHSA
Improper Input Validation and Cross-Site Request Forgery in Keycloak2019-09-23
OSV
Improper Input Validation and Cross-Site Request Forgery in Keycloak2019-09-23
CVEList
CVE-2019-10199: It was found that Keycloak's account console, up to 62019-08-14

📋Vendor Advisories

1
Red Hat
keycloak: CSRF check missing in My Resources functionality in the Account Console2019-08-13

💬Community

1
Bugzilla
CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console2019-07-11
CVE-2019-10199 — Cross-Site Request Forgery in Redhat | cvebase