Moderate severity vulnerability that affects org.keycloak:keycloak-core

2019-04-30T15:37:21
ID GHSA-GC52-XJ6P-9PXP
Type github
Reporter GitHub Advisory Database
Modified 2019-07-03T21:02:07

Description

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session.