Bug 1702953 (CVE-2019-10157)
Summary: | CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS. | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aileenc, avibelli, bgeorges, cbyrne, chazlett, cmacedo, cmoulliard, dffrench, drieden, drusso, ikanello, janstey, jbalunas, jmadigan, jochrist, jpallich, jshepherd, krathod, lthon, mszynkie, ngough, pdrozd, pgallagh, psampaio, pwright, rruss, security-response-team, sthorger, trepel, trogers |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | keycloak-nodejs-connect 4.8.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout. An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:07:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1702955 |
Description
Marian Rehak
2019-04-25 09:08:49 UTC
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.2 zip Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10157 This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details |