{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5203", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "REJECTED", "assignerShortName": "redhat", "dateReserved": "2024-05-22T15:10:01.533Z", "datePublished": "2024-06-12T08:51:59.518Z", "dateUpdated": "2024-09-13T10:15:30.617Z", "dateRejected": "2024-09-13T10:15:30.617Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-13T10:15:30.617Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5203", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "REJECTED", "assignerShortName": "redhat", "dateReserved": "2024-05-22T15:10:01.533Z", "datePublished": "2024-06-12T08:51:59.518Z", "dateUpdated": "2024-09-13T10:15:30.617Z", "dateRejected": "2024-09-13T10:15:30.617Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-13T10:15:30.617Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request."}], "id": "CVE-2024-5203", "lastModified": "2024-09-13T11:15:10.197", "metrics": {}, "published": "2024-06-12T09:15:20.647", "references": [], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Rejected"}

{"acknowledgement": "Red Hat would like to thank Stefanos.MAVROZOUMIS@netcompany.com for reporting this issue.", "bugzilla": {"description": "Keycloak: Login CSRF", "id": "2282572", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282572"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-352", "details": ["A Cross-site request forgery (CSRF) flaw was found in Keycloak and occurs due to the lack of a unique token sent during the authentication POST request, /login-actions/authenticate. This flaw allows an attacker to craft a malicious login page and trick a legitimate user of an application into authenticating with an attacker-controlled account instead of their own."], "name": "CVE-2024-5203", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Will not fix", "package_name": "keycloak-authentication", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "keycloak-authentication", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-5203\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5203"], "statement": "After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request.", "threat_severity": "Low"}