GHSA-4fgq-gq9g-3rw7

Source

https://github.com/advisories/GHSA-4fgq-gq9g-3rw7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-4fgq-gq9g-3rw7/GHSA-4fgq-gq9g-3rw7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4fgq-gq9g-3rw7

Aliases

CVE-2019-10201

Published

2019-09-23T18:32:16Z

Modified

2023-11-08T04:00:43.044313Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Improper Verification of Cryptographic Signature in keycloak

Details

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-347"
    ],
    "github_reviewed_at": "2019-09-19T15:26:01Z",
    "nvd_published_at": "2019-08-14T17:15:00Z"
}

References

Affected packages

Maven / org.keycloak:keycloak-core

Package

Name: org.keycloak:keycloak-core; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.0

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-beta-1

1.0-beta-1-20150521

1.0-beta-1-20150523

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-rc-1

1.0-rc-2

1.0-final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Final

1.1.1.Final

1.2.0.Beta1

1.2.0.CR1

1.2.0.Final

1.3.0.Final

1.3.1.Final

1.4.0.Final

1.5.0-Final

1.5.0.Final

1.5.1.Final

1.6.0.Final

1.6.1.Final

1.7.0.CR1

1.7.0.Final

1.8.0.Alpha1

1.8.0.CR1

1.8.0.CR2

1.8.0.CR3

1.8.0.Final

1.8.1.Final

1.9.0.CR1

1.9.0.Final

1.9.1.Final

1.9.2.Final

1.9.3.Final

1.9.4.Final

1.9.5.Final

1.9.7.Final

1.9.8.Final

2.*

2.0.0.CR1

2.0.0.Final

2.1.0.CR1

2.1.0.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.3.0.CR1

2.3.0.Final

2.4.0.CR1

2.4.0.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.4.Final

2.5.5.Final

3.*

3.0.0.CR1

3.0.0.Final

3.1.0.CR1

3.1.0.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.3.0.CR1

3.3.0.CR2

3.3.0.Final

3.4.0.CR1

3.4.0.Final

3.4.1.CR1

3.4.1.Final

3.4.2.Final

3.4.3.Final

4.*

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.Final

4.1.0.Final

4.2.0.Final

4.2.1.Final

4.3.0.Final

4.4.0.Final

4.5.0.Final

4.6.0.Final

4.7.0.Final

4.8.0.Final

4.8.1.Final

4.8.2.Final

4.8.3.Final

5.*

5.0.0

6.*

6.0.0

6.0.1

Database specific

last_known_affected_version_range

"<= 6.0.1"