Vulnerability Description
Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Keycloak | <= 6.0.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/108061Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1140
- https://access.redhat.com/errata/RHSA-2019:2998
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868Issue TrackingVendor Advisory
- http://www.securityfocus.com/bid/108061Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1140
- https://access.redhat.com/errata/RHSA-2019:2998
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868Issue TrackingVendor Advisory
FAQ
What is CVE-2019-3868?
CVE-2019-3868 is a vulnerability with a CVSS score of 3.8 (LOW). Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider ...
How severe is CVE-2019-3868?
CVE-2019-3868 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3868?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak.