Impact: Moderate Public Date: 2019-08-13 CWE: CWE-352 Bugzilla: 1729261: CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.
Find out more about CVE-2019-10199 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 4.6 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat Single Sign-On 7 | keycloak | Affected |
| Red Hat OpenShift Application Runtimes 1.0 | springboot | Under investigation |
| Red Hat OpenShift Application Runtimes 1.0 | swarm | Under investigation |
| Red Hat Mobile Application Platform On-Premise 4 | keycloak | Will not fix |
| Red Hat JBoss Fuse 7 | keycloak | Affected |
Vulmon