CVE-2019-10201
HIGH8.1EPSS 0.14%Improper Verification of Cryptographic Signature in keycloak
發布日:2019/9/23修改日:2023/11/8
描述
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
受影響套件(1)
- Maven/org.keycloak:keycloak-corefrom 0, < 7.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |