If an attacker modifies the SAML Response and removes the <Signature> Sections, the message is still accepted and the message can be modified, allowing the attacker to impersonate any user on the keycloak protected systems by modifying assertations. Upstream Issue: https://issues.jboss.org/browse/KEYCLOAK-10786
Mitigation: Administrator can prevent this issue for POST binding by requiring signed assertions.
Red Hat Mobile Application Platform does not make use of SAML identity brokering.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.3 zip Via RHSA-2019:2483 https://access.redhat.com/errata/RHSA-2019:2483
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10201
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.12 Via RHSA-2020:2366 https://access.redhat.com/errata/RHSA-2020:2366