6.5

CVE-2017-2582

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version < 2.5.1
RedhatJboss Enterprise Application Platform Version6.0.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version6.4.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version7.0.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version7.1.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.46% 0.823
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
secalert@redhat.com 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

https://access.redhat.com/errata/RHSA-2017:2808
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2809
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2810
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2811
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2740
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2741
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2742
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2743
Vendor Advisory
http://www.securitytracker.com/id/1041707
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/101046
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:3216
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3217
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3218
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3219
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3220
Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:0136
https://access.redhat.com/errata/RHSA-2019:0137
https://access.redhat.com/errata/RHSA-2019:0139
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582
Patch
Vendor Advisory
Issue Tracking
https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237
Patch
Third Party Advisory