Platform
java
Component
keycloak
Opgelost in
6.0.1
CVE-2019-3868 is a security vulnerability affecting Keycloak versions up to 6.0.0. This flaw allows an attacker with access to the service provider backend to hijack a user's browser session by exploiting the use of the end-user token (access or ID token JWT) as the session cookie for browser sessions in OpenID Connect (OIDC) flows. The vulnerability is resolved in Keycloak 6.0.1 and users are advised to upgrade promptly.
The primary impact of CVE-2019-3868 is the potential for unauthorized access to user accounts and sensitive data. An attacker who can compromise the service provider backend, or intercept network traffic, could obtain the user's token and use it to impersonate them within Keycloak. This could lead to data breaches, privilege escalation, and further compromise of the system. The attack vector relies on the improper handling of tokens as session cookies, a common misconfiguration in OIDC implementations. While the CVSS score is LOW, the potential for session hijacking makes this a significant concern, particularly in environments with strict security requirements.
CVE-2019-3868 was published on April 24, 2019. While no widespread exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation and potential impact make it a target for opportunistic attackers. It is not currently listed on KEV or EPSS. The LOW CVSS score reflects the requirement for backend access or network interception, limiting the attack surface. Public proof-of-concept (POC) code may exist, increasing the risk of exploitation.
Exploit Status
EPSS
0.27% (51% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-3868 is to upgrade Keycloak to version 6.0.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing stricter session management policies within Keycloak, such as shorter session timeouts and enhanced token validation. Review OIDC configurations to ensure tokens are not being used as session cookies. Web Application Firewalls (WAFs) can be configured to detect and block suspicious token usage patterns, although this is not a substitute for patching. After upgrading, confirm the fix by attempting to reproduce the session hijacking scenario and verifying that the token is no longer used as the session cookie.
Werk Keycloak bij naar een versie later dan 6.0.0. Dit voorkomt dat gebruikers tokens als sessiecookies worden gebruikt, waardoor het risico op sessie-overname wordt verminderd.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-3868 is a vulnerability in Keycloak versions up to 6.0.0 that allows an attacker to hijack user browser sessions by exploiting the use of the end-user token as the session cookie. This can lead to unauthorized access to user accounts and data.
You are affected if you are using Keycloak versions prior to 6.0.1. Check your Keycloak version and upgrade immediately if you are using an older version.
The fix is to upgrade Keycloak to version 6.0.1 or later. If immediate upgrade is not possible, review OIDC configurations and implement stricter session management policies.
While no widespread exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target. Proactive patching is recommended.
Refer to the Keycloak security advisories on the Keycloak website: https://www.keycloak.org/security
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.