CVE-2019-3868 : Security Advisory and Response
Keycloak up to version 6.0.0 allows the end user token to be used as the session cookie for browser sessions in OIDC, potentially leading to unauthorized access to the service provider backend. Learn about the impact, affected systems, and mitigation steps.
Keycloak up to version 6.0.0 allows the end user token to be used as the session cookie for browser sessions in OIDC, potentially enabling unauthorized access to the service provider backend.
Understanding CVE-2019-3868
Version 6.0.0 of Keycloak introduces a vulnerability that could lead to session hijacking.
What is CVE-2019-3868?
- Keycloak version 6.0.0 permits the utilization of the end user token as the session cookie for browser sessions in OIDC.
- Unauthorized access to the service provider backend could result in the hijacking of the user's browser session.
The Impact of CVE-2019-3868
- CVSS Score: 3.8 (Low)
- Attack Vector: Network
- Privileges Required: High
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Technical Details of CVE-2019-3868
Keycloak vulnerability details and affected systems.
Vulnerability Description
- Version 6.0.0 of Keycloak allows the end user token to act as the session cookie for browser sessions in OIDC.
Affected Systems and Versions
- Affected Product: Keycloak
- Vendor: Red Hat
- Affected Version: Up to 6.0.0
Exploitation Mechanism
- An attacker with unauthorized access to the service provider backend could take control of the user's browser session.
Mitigation and Prevention
Steps to mitigate and prevent exploitation of CVE-2019-3868.
Immediate Steps to Take
- Upgrade Keycloak to a patched version that addresses the vulnerability.
- Monitor and restrict access to the service provider backend.
Long-Term Security Practices
- Implement strong authentication mechanisms.
- Regularly audit and review access controls.
Patching and Updates
- Apply security patches provided by Red Hat.