CVE-2019-10157: Improper Authentication

June 12, 2019 (updated October 9, 2019)

It was found that Keycloak’s Node.js adapter did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

References

www.securityfocus.com/bid/108734
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157
nvd.nist.gov/vuln/detail/CVE-2019-10157

Code Behaviors & Features

Detect and mitigate CVE-2019-10157 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →