Redhat: >> Keycloak >> 4.5.0 Security Vulnerabilities
Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.
CVSS Score
3.8
EPSS Score
0.003
Published
2019-04-24
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-11-30
Page 6