CVE-2014-3709: CSRF
First published: Tue Oct 21 2014(Updated: )
It was discovered that the org.keycloak.services.resources.SocialResource.callback(String) method implementation lacked CSRF protection. A remote attacker could use this flaw to gain access to a KeyCloak managed accounts or perform other attacks.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/keycloak | <1.0.3. | 1.0.3. |
| Keycloak Keycloak | <=1.0.2.final |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-3709
- https://bugzilla.redhat.com/show_bug.cgi?id=1154971
- https://issues.jboss.org/browse/KEYCLOAK-765
- https://github.com/keycloak/keycloak/commit/bb132e1aa0b3b3a123883d0b8d0b788337df956d
- https://web.archive.org/web/20200227141715/http://www.securityfocus.com/bid/101508
- https://github.com/advisories/GHSA-xr6q-qqx7-553g (Advisory)
- http://www.securityfocus.com/bid/101508
- collector/github-advisory-latest
- alias/GHSA-xr6q-qqx7-553g
- alias/CVE-2014-3709
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- package-manager/maven
- vendor/keycloak
- canonical/keycloak keycloak
- version/keycloak keycloak/1.0.2.final
- package-manager/redhat