logo

Database

Insufficient data authenticity validation In org.keycloak:keycloak-core

Description

Improper Verification of Cryptographic Signature in keycloak It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-102012. NVD-2019-102013. OSV-2019-102014. GCVE-2019-102015. bugzilla.redhat.com

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.