Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-10201

Опубликовано: 13 авг. 2019
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

Меры по смягчению последствий

Administrator can prevent this issue for POST binding by requiring signed assertions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7keycloakWill not fix
Red Hat Mobile Application Platform 4keycloakNot affected
Red Hat OpenShift Application RuntimeskeycloakAffected
Red Hat Single Sign-On 7rh-sso7-keycloakAffected
Red Hat Runtimes Spring Boot 2.1.12keycloakFixedRHSA-2020:236604.06.2020
Red Hat Single Sign-On 7.3.3 zipFixedRHSA-2019:248313.08.2019
Text-Only RHOARFixedRHSA-2020:206718.05.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1728609keycloak: SAML broker does not check existence of signature on document allowing any user impersonation

EPSS

Процентиль: 34%
0.00136
Низкий

8.1 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2019-10201

CVSS3: 8.1
nvd
больше 6 лет назад

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

debian логотип

CVE-2019-10201

CVSS3: 8.1
debian
больше 6 лет назад

It was found that Keycloak's SAML broker, versions up to 6.0.1, did no ...

github логотип

GHSA-4fgq-gq9g-3rw7

CVSS3: 8.1
github
больше 6 лет назад

Improper Verification of Cryptographic Signature in keycloak

fstec логотип

BDU:2019-03210

CVSS3: 8.1
fstec
больше 6 лет назад

Уязвимость компонента SAML broker программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю получить несанкционированный доступ к системе

EPSS

Процентиль: 34%
0.00136
Низкий

8.1 High

CVSS3