It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201 | Issue Tracking Mitigation Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2019-08-14T16:09:39
Updated: 2019-08-14T16:09:38
Reserved: 2019-03-27T00:00:00
Link: CVE-2019-10201
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-08-14T17:15:11.143
Modified: 2020-10-02T14:11:44.567
Link: CVE-2019-10201
JSON object: View
Redhat Information
No data.