It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2019-08-14T16:09:39
Updated: 2024-08-04T22:17:19.324Z
Reserved: 2019-03-27T00:00:00
Link: CVE-2019-10201
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2019-08-14T17:15:11.143
Modified: 2020-10-02T14:11:44.567
Link: CVE-2019-10201
Redhat