All advisories

Keycloak legacy cookies are not secured

Affected product(s)

  • Gradle Enterprise 2020.1 - 2021.4.2

Severity

Low

Published at

2022-03-15

Related CVE ID(s)

Description

Gradle Enterprise uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality.

For backwards compatibility with older Safari browser versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via plain HTTP. This creates the potential for an attacker with the ability to impersonate the Gradle Enterprise host to capture the login session of a user by having them click a http:// link to the server, regardless of the real server requiring HTTPS.

Since Gradle Enteprise 2021.4.3, the insecure cookies are no longer set.

Mitigation

The most effective mitigation is to update to Gradle Enterprise 2021.4.3.

Alternatively, if you have Gradle Enterprise deployed behind a layer 7 network proxy, you can filter any Set-Cookie response headers that set a cookie with a name ending in _LEGACY, from any request path with the prefix /keycloak.