logo

Database

Authentication mechanism absence or evasion In keycloak-connect

Description

Forced Logout in keycloak-connect Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /k_logout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely.

Recommendation

Upgrade to version 4.4.0 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-101572. NVD-2019-101573. OSV-2019-101574. GCVE-2019-10157

References

1. https://github.com/keycloak/keycloak-nodejs-connect/commit/55e54b55d05ba636bc125a8f3d39f0052d13f8f62. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-101573. https://www.npmjs.com/advisories/9784. http://www.securityfocus.com/bid/108734

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.