Improper Verification of Cryptographic Signature in keycloak

GHSA-4fgq-gq9g-3rw7 · CVE-2019-10201

Published Sep 23, 2019 · Modified Nov 8, 2023

Description

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-10201
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes