What is CVE-2019-10201?

CVE-2019-10201 is a vulnerability in Keycloak's SAML broker that allows an attacker to modify SAML Response messages without detection.

How severe is CVE-2019-10201?

CVE-2019-10201 has a severity score of 8.1 out of 10, indicating a high-risk vulnerability.

What is the affected software?

The affected software is Keycloak versions up to 6.0.1.

How can an attacker exploit CVE-2019-10201?

An attacker can exploit CVE-2019-10201 by modifying SAML Response messages and removing the <Signature> sections without detection.

How can I fix CVE-2019-10201?

To fix CVE-2019-10201, update Keycloak to version 7.0.0 or higher.

Vulnerability/
CVE-2019-10201

high

8.1

CWE

347 592 287

10/7/2019

13/8/2019

14/8/2019

4/8/2024

CVE-2019-10201

First published: Wed Jul 10 2019(Updated: )

If an attacker modifies the SAML Response and removes the <Signature> Sections, the message is still accepted and the message can be modified, allowing the attacker to impersonate any user on the keycloak protected systems by modifying assertations. Upstream Issue: <a href="https://issues.jboss.org/browse/KEYCLOAK-10786">https://issues.jboss.org/browse/KEYCLOAK-10786</a>

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/keycloak	<7.0.0	7.0.0
Redhat Keycloak	<=6.0.1
Redhat Single Sign-on	=7.0
Redhat Single Sign-on	=7.3.3

Remedy

Administrator can prevent this issue for POST binding by requiring signed assertions.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2019-10201?
CVE-2019-10201 is a vulnerability in Keycloak's SAML broker that allows an attacker to modify SAML Response messages without detection.
How severe is CVE-2019-10201?
CVE-2019-10201 has a severity score of 8.1 out of 10, indicating a high-risk vulnerability.
What is the affected software?
The affected software is Keycloak versions up to 6.0.1.
How can an attacker exploit CVE-2019-10201?
An attacker can exploit CVE-2019-10201 by modifying SAML Response messages and removing the <Signature> sections without detection.
How can I fix CVE-2019-10201?
To fix CVE-2019-10201, update Keycloak to version 7.0.0 or higher.

collector/redhat-cve
collector/nvd-index
agent/type
agent/softwarecombine
agent/first-publish-date
agent/last-modified-date
agent/remedy
agent/weakness
agent/references
agent/severity
agent/author
agent/description
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-10201
agent/software-canonical-lookup
agent/tags
collector/mitre-cve
source/MITRE
vendor/redhat
canonical/redhat keycloak
version/redhat keycloak/6.0.1
canonical/redhat single sign-on
version/redhat single sign-on/7.0
version/redhat single sign-on/7.3.3
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.