CVE-2019-3868 LOW

CVE-2019-3868

Vendor Red Hat

Product keycloak

Weakness CWE-200 · Info exposure

Published April 24, 2019

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

3.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

Key dates

02Disclosure timeline

April 24, 2019 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-3868 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2026-4409 Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management CVE-2024-38747 WordPress HitPay Payment Gateway for WooCommerce plugin <= 4.1.3 - Sensitive Data Exposure via Log File vulnerability CVE-2024-38798 Uncleared password keystrokes in circular queue can lead to information disclosure or escalation of privilege CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla CVE-2024-39593 [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management