Описание
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat Mobile Application Platform 4 | keycloak | Out of support scope | ||
| Red Hat Single Sign-On 7.2.5 zip | Fixed | RHSA-2018:3595 | 13.11.2018 | |
| Red Hat Single Sign-On 7.2 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2018:3592 | 13.11.2018 |
| Red Hat Single Sign-On 7.2 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2018:3593 | 13.11.2018 |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-287->CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=1627851keycloak: expiration not validated in SAML broker consumer endpoint
EPSS
Процентиль: 48%
0.00252
Низкий
6.1 Medium
CVSS3
Связанные уязвимости
CVSS3: 6.1
nvd
около 7 лет назад
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
CVSS3: 6.1
debian
около 7 лет назад
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Fin ...
EPSS
Процентиль: 48%
0.00252
Низкий
6.1 Medium
CVSS3