Описание
Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | keycloak | Will not fix | ||
| Red Hat Mobile Application Platform 4 | keycloak | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | keycloak | Affected | ||
| Red Hat support for Spring Boot | keycloak | Affected | ||
| streams for Apache Kafka | keycloak | Not affected | ||
| Red Hat Runtimes Spring Boot 2.1.12 | keycloak | Fixed | RHSA-2020:2366 | 04.06.2020 |
| Red Hat Single Sign-On 7.2.7 zip | Fixed | RHSA-2019:0868 | 23.04.2019 | |
| Red Hat Single Sign-On 7.2 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2019:0857 | 23.04.2019 |
| Red Hat Single Sign-On 7.2 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2019:0856 | 23.04.2019 |
| Red Hat Single Sign-On 7.3.1 zip | Fixed | RHSA-2019:1140 | 09.05.2019 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1679144keycloak: session hijack using the user access token
EPSS
Процентиль: 52%
0.00291
Низкий
3.8 Low
CVSS3
Связанные уязвимости
CVSS3: 3.8
nvd
почти 7 лет назад
Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.
CVSS3: 3.8
debian
почти 7 лет назад
Keycloak up to version 6.0.0 allows the end user token (access or id t ...
CVSS3: 3.8
github
почти 7 лет назад
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak
EPSS
Процентиль: 52%
0.00291
Низкий
3.8 Low
CVSS3