Bug 1729261 (CVE-2019-10199)
Summary: | CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, avibelli, bgeorges, cbyrne, chazlett, cmacedo, cmoulliard, cthompson, dffrench, dkreling, drieden, drusso, ggaughan, ikanello, janstey, jbalunas, jmadigan, jochrist, jpallich, jshepherd, jwon, krathod, lthon, mszynkie, ngough, pdrozd, pgallagh, pjindal, pwright, rruss, security-response-team, sthorger, trepel, trogers |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | keycloak 7.0.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-13 20:47:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1728913 |
Description
Laura Pardo
2019-07-11 17:24:48 UTC
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.3 zip Via RHSA-2019:2483 https://access.redhat.com/errata/RHSA-2019:2483 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10199 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067 This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.12 Via RHSA-2020:2366 https://access.redhat.com/errata/RHSA-2020:2366 |