Keycloak CSRF Flaw Allows Attackers to Trick Users into Authenticating with Malicious Accounts

CVE-2024-5203

Currently unrated 🤨

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Single Sign-on 7
Vendor: CVE Published:; 12 June 2024

Summary

Rejected reason: After careful review of CVE-2024-5203, it has been determined that the issue is not exploitable in real-world scenarios. Moreover, the exploit assumes that the attacker has access to a session code parameter that matches a cookie on the Keycloak server. However the attacker does not have access to the cookie, and can therefore not craft a malicious request.

Timeline

Vulnerability published.
Jun 12, 2024
Vulnerability Reserved.
May 22, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank [email protected] for reporting this issue.