CVE-2024-8698

EPSS 81.26%
Veröffentlicht 19.09.2024 16:15:06
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak

Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Mögliche Gegenmaßnahme

Keycloak Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 18

CNA 92 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/keycloak/keycloak

≫

Paket keycloak

Default Statusunaffected

Version 0

Version < 25.0.5

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Build of Keycloak

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat Build of Keycloak

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 22

Default Statusaffected

Version 22.0.13-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 22

Default Statusaffected

Version 22-18

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 22

Default Statusaffected

Version 22-21

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24

Default Statusaffected

Version 24.0.8-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24

Default Statusaffected

Version 24-17

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24

Default Statusaffected

Version 24-17

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.33.0-1.redhat_00015.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 1:2.0.0-2.redhat_00005.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:1.8.0-2.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.2.0-2.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:1.16.1-2.redhat_00007.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:3.2.2-28.redhat_2.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.15.1-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:3.14.0-2.redhat_00006.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:4.0.5-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 1:2.0.0-2.redhat_00005.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.0.1-1.redhat_00002.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:0.1.0-2.redhat_00010.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:1.12.284-2.redhat_00002.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:1.2.5-2.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:800.4.0-1.GA_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.1.0-4.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:6.2.31-1.Final_redhat_00002.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:8.0.1-3.Final_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:0.8.1-2.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:1.1.3-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:3.0.1-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:1.1.3-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:3.5.3-1.Final_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:4.0.2-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:5.3.10-1.Final_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.22.1-1.redhat_00002.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:6.0.3-1.Final_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:9.37.3-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:9.6.0-1.redhat_00002.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.3.0-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.0.1-3.Final_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:3.0.1-2.Final_redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:3.0.4-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:8.0.0-6.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.0.16-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:2.2.0-1.redhat_00001.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version 0:8.0.4-2.GA_redhat_00005.1.el8eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.33.0-1.redhat_00015.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 1:2.0.0-2.redhat_00005.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:1.8.0-2.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.2.0-2.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:1.16.1-2.redhat_00007.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:3.2.2-28.redhat_2.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.15.1-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:3.14.0-2.redhat_00006.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:4.0.5-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 1:2.0.0-2.redhat_00005.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.0.1-1.redhat_00002.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:0.1.0-2.redhat_00010.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:1.12.284-2.redhat_00002.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:1.2.5-2.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:800.4.0-1.GA_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.1.0-4.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:6.2.31-1.Final_redhat_00002.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:8.0.1-3.Final_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:0.8.1-2.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:1.1.3-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:3.0.1-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:1.1.3-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:3.5.3-1.Final_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:4.0.2-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:5.3.10-1.Final_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.22.1-1.redhat_00002.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:6.0.3-1.Final_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:9.37.3-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:9.6.0-1.redhat_00002.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.3.0-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.0.1-3.Final_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:3.0.1-2.Final_redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:3.0.4-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:8.0.0-6.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.0.16-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:2.2.0-1.redhat_00001.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version 0:8.0.4-2.GA_redhat_00005.1.el9eap

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7.6 for RHEL 7

Default Statusaffected

Version 0:18.0.18-1.redhat_00001.1.el7sso

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7.6 for RHEL 8

Default Statusaffected

Version 0:18.0.18-1.redhat_00001.1.el8sso

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7.6 for RHEL 9

Default Statusaffected

Version 0:18.0.18-1.redhat_00001.1.el9sso

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt RHEL-8 based Middleware Containers

Default Statusaffected

Version 7.6-54

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Build of Keycloak

Default Statusaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7

Default Statusaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemKeycloak

≫

Produkt Keycloak Server

Version >= 0.0.0, < 22.0.13

Version >= 24.0.0, < 24.0.8

Version >= 25.0.0, < 25.0.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	81.26%	0.992

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	7.7	1.8	5.3	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://access.redhat.com/errata/RHSA-2024:8823

https://access.redhat.com/errata/RHSA-2024:8824

https://access.redhat.com/errata/RHSA-2024:8826

https://access.redhat.com/errata/RHSA-2024:6878

https://access.redhat.com/errata/RHSA-2024:6879

https://access.redhat.com/errata/RHSA-2024:6880

https://access.redhat.com/errata/RHSA-2024:6882

https://access.redhat.com/errata/RHSA-2024:6886

https://access.redhat.com/errata/RHSA-2024:6887

https://access.redhat.com/errata/RHSA-2024:6888

https://access.redhat.com/errata/RHSA-2024:6889

https://access.redhat.com/errata/RHSA-2024:6890

https://access.redhat.com/security/cve/CVE-2024-8698

https://bugzilla.redhat.com/show_bug.cgi?id=2311641

https://github.com/keycloak/keycloak/security/advisories/GHSA-xgfv-xpx8-qhcr

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-8698

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8698

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8698

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-8698