CVE-2018-10894 — Insufficient Verification of Data Authenticity in RED HAT Keycloak

CWE-345 — Insufficient Verification of Data Authenticity CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 82.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Keycloak Redhat Keycloak Redhat Single Sign-on

Timeline

PublishedAug 1

Latest updateMay 13

Description

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDredhat/keycloak3.4.3

▶CVEListV5red_hat/keycloak3.4.3.Final

▶NVDredhat/single_sign-on7.2

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Keycloak Authentication Error↗2022-05-13

▶

GHSA

Keycloak Authentication Error↗2022-05-13

▶

CVEList

CVE-2018-10894: It was found that SAML authentication in Keycloak 3↗2018-08-01

▶

📋Vendor Advisories

Red Hat

keycloak: auth permitted with expired certs in SAML client↗2018-07-09

▶

💬Community

Bugzilla

CVE-2018-8027 camel-core: XXE in XSD validation processor↗2018-08-02

▶

Bugzilla

CVE-2018-10894 keycloak: auth permitted with expired certs in SAML client↗2018-07-09

▶