CVE-2019-10201 | Date: (C)2019-08-15 (M)2023-12-22 |
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
CVSS Score and Metrics +CVSS Score and Metrics -CVSS V3 Severity: | CVSS V2 Severity: |
CVSS Score : 8.1 | CVSS Score : 5.5 |
Exploit Score: 2.8 | Exploit Score: 8.0 |
Impact Score: 5.2 | Impact Score: 4.9 |
|
CVSS V3 Metrics: | CVSS V2 Metrics: |
Attack Vector: NETWORK | Access Vector: NETWORK |
Attack Complexity: LOW | Access Complexity: LOW |
Privileges Required: LOW | Authentication: SINGLE |
User Interaction: NONE | Confidentiality: PARTIAL |
Scope: UNCHANGED | Integrity: PARTIAL |
Confidentiality: HIGH | Availability: NONE |
Integrity: HIGH | |
Availability: NONE | |
| |