CVE-2019-3868 — Sensitive Information Exposure in Redhat Keycloak

CWE-200 — Sensitive Information Exposure18 documents7 sources

Severity

3.8LOWNVD

EPSS

0.3%

top 49.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak RED HAT Keycloak

Timeline

PublishedApr 24

Latest updateFeb 12

Description

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages2 packages

▶NVDredhat/keycloak6.0.0

▶CVEListV5red_hat/keycloakaffects up to 6.0.0 version

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak↗2019-04-30

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak↗2019-04-30

▶

CVEList

CVE-2019-3868: Keycloak up to version 6↗2019-04-24

▶

📋Vendor Advisories

Red Hat

keycloak: session hijack using the user access token↗2019-04-23

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Remote code execution vulnerability in Apple Safari↗2020-02-12

▶

💬Community

Bugzilla

CVE-2019-3868 keycloak: session hijack using the user access token↗2019-02-20

▶

Bugzilla

CVE-2019-7638 SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c↗2019-02-14

▶

Bugzilla

CVE-2019-7636 SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c↗2019-02-14

▶

Bugzilla

CVE-2019-7635 SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c↗2019-02-14

▶

Bugzilla

CVE-2019-7637 SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c↗2019-02-14

▶