CVE-2019-10201
Improper Verification of Cryptographic Signature in keycloak
8.1
HIGH
CVSS 3.1
EPSS 0.14%
Description
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
How to fix CVE-2019-10201
To remediate CVE-2019-10201, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.0 or later
Is CVE-2019-10201 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 7.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |