Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-2582

Опубликовано: 26 сент. 2017
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.

It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6picketlink-idm-coreNot affected
Red Hat JBoss BRMS 6picketlink-idm-coreNot affected
Red Hat JBoss Data Grid 6picketlink-idm-implNot affected
Red Hat JBoss Data Grid 6picketlink-implNot affected
Red Hat JBoss Enterprise Application Platform 6picketlink-idm-implOut of support scope
Red Hat JBoss Enterprise Application Platform 7picketlink-idm-implNot affected
Red Hat JBoss Fuse 6switchyardNot affected
Red Hat JBoss Operations Network 3picketlink-idm-implNot affected
Red Hat JBoss Operations Network 3picketlink-implNot affected
Red Hat JBoss Portal 6picketlink-idm-implWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-201
https://bugzilla.redhat.com/show_bug.cgi?id=1410481keycloak: SAML request parser replaces special strings with system properties

EPSS

Процентиль: 71%
0.00663
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2017-2582

CVSS3: 6.5
nvd
больше 7 лет назад

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.

debian логотип

CVE-2017-2582

CVSS3: 6.5
debian
больше 7 лет назад

It was found that while parsing the SAML messages the StaxParserUtil c ...

github логотип

GHSA-c77r-6f64-478q

CVSS3: 6.5
github
больше 7 лет назад

keycloak-core discloses system properties

fstec логотип

BDU:2019-00225

CVSS3: 6.5
fstec
больше 8 лет назад

Уязвимость класса StaxParserUtil программного обеспечения Picketlink для управления безопасностью и идентификацией приложений Java, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 71%
0.00663
Низкий

6.5 Medium

CVSS3

Уязвимость CVE-2017-2582