CVE-2019-10199

HIGH

Keycloak < 6.0.1 - Cross-Site Request Forgery via Inadequate Header Checks

Title source: llm
STIX 2.1

Description

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10199

Scores

CVSS v3 8.8
EPSS 0.0009
EPSS Percentile 26.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (2)
org.keycloak/keycloak-core 0 - 7.0.0Maven
redhat/keycloak < 6.0.1
Published Aug 14, 2019
Tracked Since Feb 18, 2026