CVE-2018-14637 — Improper Authorization in Redhat Keycloak

CWE-285 — Improper Authorization CWE-287 — Improper Authentication CWE-613 — Insufficient Session Expiration6 documents6 sources

Severity

8.1HIGHNVD

CNA6.1

EPSS

0.3%

top 51.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak

Timeline

PublishedNov 30

Latest updateDec 21

Description

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/keycloak< 4.6.0

🔴Vulnerability Details

GHSA

Improper Authentication in Keycloak↗2018-12-21

▶

OSV

Improper Authentication in Keycloak↗2018-12-21

▶

CVEList

CVE-2018-14637: The SAML broker consumer endpoint in Keycloak before version 4↗2018-11-30

▶

📋Vendor Advisories

Red Hat

keycloak: expiration not validated in SAML broker consumer endpoint↗2018-11-27

▶

💬Community

Bugzilla

CVE-2018-14637 keycloak: expiration not validated in SAML broker consumer endpoint↗2018-09-11

▶