Keycloak Node.js Adapter Backchannel Logout Token Verification Bypass Vulnerability

Keycloak Node.js Adapter Backchannel Logout Token Verification Bypass Vulnerability

CVE-2019-10157 · LOW Severity

AV:L/AC:L/AU:N/C:N/I:N/A:P

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

Learn more about our Web App Pen Testing.