CVE-2017-2582

Name of the Vulnerable Software and Affected Versions: Keycloak versions prior to 2.5.1 Picketlink (affected versions not specified) Redhat Jboss Enterprise Application Platform (affected versions not specified) Redhat Keycloak (affected versions not specified)

Description: The issue is related to the parsing of SAML messages by the StaxParserUtil class, which replaces special strings for obtaining attribute values with system properties. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property, which could be obtained in the "InResponseTo" field in the response. The vulnerability is associated with inadequate input processing when analyzing SAML messages, allowing a remote attacker to disclose protected information about system parameters using specially crafted SAML messages.

Recommendations: For Keycloak versions prior to 2.5.1: Update to version 2.5.1 or later to resolve the issue. For Picketlink: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Redhat Jboss Enterprise Application Platform: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Redhat Keycloak: At the moment, there is no information about a newer version that contains a fix for this vulnerability.