CVE-2019-3868 — Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

Description

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session.

How to fix CVE-2019-3868

To remediate CVE-2019-3868, upgrade the affected package to a fixed version below.

—upgrade to 6.0.0 or later

Is CVE-2019-3868 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.8	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-3868
WEBaccess.redhat.com/errata/RHSA-2019:1140
WEBaccess.redhat.com/errata/RHSA-2019:2998
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868
WEB