Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

GHSA-gc52-xj6p-9pxp · CVE-2019-3868

Published Apr 30, 2019 · Modified Nov 8, 2023

Description

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-3868
WEB https://access.redhat.com/errata/RHSA-2019:1140
WEB https://access.redhat.com/errata/RHSA-2019:2998
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868
WEB http://www.securityfocus.com/bid/108061

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes