{
  "threat_severity" : "Moderate",
  "public_date" : "2019-08-13T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: CSRF check missing in My Resources functionality in the Account Console",
    "id" : "1729261",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1729261"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-352",
  "details" : [ "It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.", "It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Runtimes Spring Boot 2.1.12",
    "release_date" : "2020-06-04T00:00:00Z",
    "advisory" : "RHSA-2020:2366",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "keycloak"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3.3 zip",
    "release_date" : "2019-08-13T00:00:00Z",
    "advisory" : "RHSA-2019:2483",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3"
  }, {
    "product_name" : "Text-Only RHOAR",
    "release_date" : "2020-05-18T00:00:00Z",
    "advisory" : "RHSA-2020:2067",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "rh-sso7-keycloak",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10199\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10199" ],
  "name" : "CVE-2019-10199",
  "csaw" : false
}