Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdjNTIteGo2cC05cHhw
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak
Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session.
Permalink: https://github.com/advisories/GHSA-gc52-xj6p-9pxpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdjNTIteGo2cC05cHhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: about 1 year ago
CVSS Score: 3.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-gc52-xj6p-9pxp, CVE-2019-3868
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-3868
- https://access.redhat.com/errata/RHSA-2019:1140
- https://access.redhat.com/errata/RHSA-2019:2998
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868
- http://www.securityfocus.com/bid/108061
- https://github.com/advisories/GHSA-gc52-xj6p-9pxp
Affected Packages
maven:org.keycloak:keycloak-core
Dependent packages: 376Dependent repositories: 1,153
Downloads:
Affected Version Ranges: < 6.0.0
Fixed in: 6.0.0
All affected versions: 5.0.0
All unaffected versions: 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.0.2, 9.0.0, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0, 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3