CVE-2019-10201
HIGH8.1EPSS 0.14%Improper Verification of Cryptographic Signature in keycloak
Published: 9/23/2019Modified: 11/8/2023
Also known as:GHSA-4fgq-gq9g-3rw7
Description
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
Affected packages (1)
- Maven/org.keycloak:keycloak-corefrom 0, < 7.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |