It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
Advisories
Source ID Title
EUVD EUVD EUVD-2019-0650 It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
Github GHSA Github GHSA GHSA-4fgq-gq9g-3rw7 Improper Verification of Cryptographic Signature in keycloak
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-04T22:17:19.324Z

Reserved: 2019-03-27T00:00:00

Link: CVE-2019-10201

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-08-14T17:15:11.143

Modified: 2024-11-21T04:18:38.627

Link: CVE-2019-10201

cve-icon Redhat

Severity : Important

Publid Date: 2019-08-13T00:00:00Z

Links: CVE-2019-10201 - Bugzilla

cve-icon OpenCVE Enrichment

No data.