logo

Database

Sensitive information sent insecurely In keycloak-connect

Description

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-38682. NVD-2019-38683. OSV-2019-38684. GCVE-2019-38685. bugzilla.redhat.com6. access.redhat.com7. access.redhat.com

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-38682. http://www.securityfocus.com/bid/108061

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.