#VU21706 Insufficiently protected credentials in Keycloak - CVE-2019-3868

Cybersecurity Help s.r.o.

Published: 2019-10-10

Vulnerability identifier: #VU21706

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-3868

CWE-ID: CWE-522

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote attacker to hijack user's session.

The vulnerability exists due to software may use the end user token (access or id token JWT) as a session cookie for browser sessions for OIDC. A remote attacker that has access to the service provider backend can hijack the user's browser session and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Keycloak: 4.8.0 - 4.8.3, 5.0.0

External links
https://access.redhat.com/errata/RHSA-2019:1140
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for Red Hat OpenShift Application Runtimes Thorntail 2.5.0