Описание
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the NotOnOrAfter timestamp within the SubjectConfirmationData. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
Отчет
This vulnerability is rated Low for Red Hat products. In the Red Hat context, this flaw in Keycloak's SAML brokering functionality allows an attacker to delay the expiration of SAML responses by not validating the NotOnOrAfter timestamp in SubjectConfirmationData. This could lead to unexpected session durations or increased resource consumption.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 8 | keycloak-services | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | keycloak-services | Fix deferred | ||
| Red Hat Single Sign-On 7 | keycloak-services | Fix deferred | ||
| Red Hat build of Keycloak 26.4 | rhbk/keycloak-operator-bundle | Fixed | RHSA-2026:3948 | 05.03.2026 |
| Red Hat build of Keycloak 26.4 | rhbk/keycloak-rhel9 | Fixed | RHSA-2026:3948 | 05.03.2026 |
| Red Hat build of Keycloak 26.4 | rhbk/keycloak-rhel9-operator | Fixed | RHSA-2026:3948 | 05.03.2026 |
| Red Hat build of Keycloak 26.4.10 | rhbk/keycloak-rhel9 | Fixed | RHSA-2026:3947 | 05.03.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.1 Low
CVSS3
Связанные уязвимости
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
A flaw was found in Keycloak's SAML brokering functionality. When Keyc ...
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
EPSS
3.1 Low
CVSS3