PT-2018-12632 · Red Hat · Keycloak

Laura Pardo

Publicado

2018-11-30

Atualizado

2019-10-09

CVE-2018-14637

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 4.6.0.Final

Description The issue concerns the SAML broker consumer endpoint in Keycloak, which ignores expiration conditions on SAML assertions. This can be exploited by an attacker to perform a replay attack.

Recommendations For versions prior to 4.6.0.Final, update to version 4.6.0.Final or later to resolve the issue. As a temporary workaround, consider restricting access to the SAML broker consumer endpoint to minimize the risk of exploitation.

Correção

Improper Authentication

Improper Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287CWE-285

Identificadores relacionados

CVE-2018-14637

GHSA-GF2J-7QWG-4F5X

RHSA-2018:3592

RHSA-2018:3593

Produtos afetados

Keycloak

PT-2018-12632 · Red Hat · Keycloak

CVE-2018-14637

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6