A vulnerability was found in JBoss KeyCloak up to 1.0.3 (Application Server Software). It has been rated as problematic. Affected by this issue is the function orgkeycloakservicesresourcesSocialResourcecallback of the component CSRF Protection. The manipulation as part of a Request leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is integrity. CVE summarizes:

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.

The bug was discovered 10/23/2015. The weakness was shared 10/18/2017 by Florian Weimer as Bug 1154971 as not defined bug report (Bugzilla). The advisory is available at bugzilla.redhat.com. This vulnerability is handled as CVE-2014-3709 since 05/14/2014. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 726 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 1.0.3.Final eliminates this vulnerability.

The entries VDB-122706, VDB-130603, VDB-137821 and VDB-138196 are related to this item.

Productinfo

Type

• Application Server Software

Vendor

• JBoss

Name

• KeyCloak

Version

• 1.0.0
• 1.0.1
• 1.0.2
• 1.0.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion