-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the SocialResource.callback method's failure to verify the cryptographic signature of the 'state' parameter during OAuth social login flows. The commit bb132e1 shows the fix added RSA signature verification for this parameter. In vulnerable versions (<1.0.3.Final), the method simply deserialized the state without validation, enabling CSRF attacks where attackers could craft malicious state parameters to link attacker-controlled accounts to victim users.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.keycloak:keycloak-services | maven | < 1.0.3.Final | 1.0.3.Final |