CVE-2017-2582

EPSS 0.66%
Published 26.07.2018 17:29:00
Last modified 21.11.2024 03:23:46
Source secalert@redhat.com
Teams watchlist Login
Open Login

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.

Affected products Warnungen 0 Metrics 4 CWE 2 References 23

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version < 2.5.1

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.4.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.0.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.1.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.66%	0.702

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
secalert@redhat.com	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N