CVE-2024-5203

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-5203
Rejected reason: After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

13 Sep 2024, 11:15

Type Values Removed Values Added
CWE CWE-352
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2024-5203', 'source': 'secalert@redhat.com'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=2282572', 'source': 'secalert@redhat.com'}
CVSS v2 : unknown
v3 : 3.7 		v2 : unknown
v3 : unknown
Summary
  • (es) Se encontró una falla de Cross-site request forgery (CSRF) en Keycloak y se produce debido a la falta de un token único enviado durante la solicitud POST de autenticación, /login-actions/authenticate. Esta falla permite a un atacante crear una página de inicio de sesión maliciosa y engañar a un usuario legítimo de una aplicación para que se autentique con una cuenta controlada por el atacante en lugar de con la suya propia.
Summary (en) A Cross-site request forgery (CSRF) flaw was found in Keycloak and occurs due to the lack of a unique token sent during the authentication POST request, /login-actions/authenticate. This flaw allows an attacker to craft a malicious login page and trick a legitimate user of an application into authenticating with an attacker-controlled account instead of their own. (en) Rejected reason: After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request.

13 Jun 2024, 18:36

Type Values Removed Values Added
Summary
  • (es) Se encontró una falla de Cross-site request forgery (CSRF) en Keycloak y se produce debido a la falta de un token único enviado durante la solicitud POST de autenticación, /login-actions/authenticate. Esta falla permite a un atacante crear una página de inicio de sesión maliciosa y engañar a un usuario legítimo de una aplicación para que se autentique con una cuenta controlada por el atacante en lugar de con la suya propia.

12 Jun 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-12 09:15

Updated : 2024-09-13 11:15

NVD link : CVE-2024-5203

Mitre link : CVE-2024-5203

CVE.ORG link : CVE-2024-5203

JSON object : View

Products Affected

No product.

CWE

No CWE.