CVE-2019-10201

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201 Issue Tracking Mitigation
Configurations

Configuration 1

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.3.3:*:*:*:*:*:*:*

Information

Published : 2019-08-14 05:15

Updated : 2020-10-02 02:11


NVD link : CVE-2019-10201

Mitre link : CVE-2019-10201

Products Affected
No products.
CWE
CWE-347

Improper Verification of Cryptographic Signature