High severity8.8NVD Advisory· Published Oct 18, 2017· Updated May 13, 2026

CVE-2014-3709

Description

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-servicesMaven	< 1.0.3.Final	1.0.3.Final

Affected products

Keycloak/Keycloak
cpe:2.3:a:keycloak:keycloak:*:*:*:*:*:*:*:*
Range: <=1.0.2.final

Patches

bb132e1aa0b3

KEYCLOAK-765 Check signature on state in social callback

https://github.com/keycloak/keycloakStian ThorgersenOct 20, 2014via ghsa

commit

1 file changed · +9 −1

services/src/main/java/org/keycloak/services/resources/SocialResource.java+9 −1 modified

@@ -31,6 +31,7 @@
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventType;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.models.AccountRoles;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
@@ -106,9 +107,11 @@ public SocialResource(TokenManager tokenManager) {
     @GET
     @Path("callback")
     public Response callback(@QueryParam("state") String encodedState) throws URISyntaxException, IOException {
+        JWSInput jwsInput;
         State initialRequest;
         try {
-            initialRequest = new JWSInput(encodedState).readJsonContent(State.class);
+            jwsInput = new JWSInput(encodedState);
+            initialRequest = jwsInput.readJsonContent(State.class);
         } catch (Throwable t) {
             logger.error("Invalid social callback", t);
             return Flows.forms(session, null, null, uriInfo).setError("Unexpected callback").createErrorPage();
@@ -127,6 +130,11 @@ public Response callback(@QueryParam("state") String encodedState) throws URISyn
                 .detail(Details.RESPONSE_TYPE, initialRequest.get(OAuth2Constants.RESPONSE_TYPE))
                 .detail(Details.AUTH_METHOD, authMethod);
 
+        if (!RSAProvider.verify(jwsInput, realm.getPublicKey())) {
+            logger.error("Invalid social callback");
+            return Flows.forms(session, null, null, uriInfo).setError("Unexpected callback").createErrorPage();
+        }
+
         AuthenticationManager authManager = new AuthenticationManager();
         OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

issues.jboss.org/browse/KEYCLOAK-765nvdExploitIssue TrackingVendor AdvisoryWEB
www.securityfocus.com/bid/101508nvdThird Party AdvisoryVDB Entry
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-xr6q-qqx7-553gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3709ghsaADVISORY
github.com/keycloak/keycloak/commit/bb132e1aa0b3b3a123883d0b8d0b788337df956dghsaWEB
web.archive.org/web/20200227141715/http://www.securityfocus.com/bid/101508ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000