CVE-2024-8698
published 2024-09-19CVE-2024-8698: A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is…
PriorityP355high7.7CVSS 3.1
AVNACHPRLUINSCCHILAL
EXPLOIT
EPSS
2.03%
78.6th percentile
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Detection & IOCsextracted from sources · hover to see the quote
- →A successful exploit results in an HTTP 302 redirect response containing both KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookies in the response headers, indicating session establishment under a manipulated identity. ↗
- →The attack is delivered via a POST to the SAML broker endpoint with a crafted SAMLResponse parameter (base64+URL-encoded) and a RelayState, using a stolen AUTH_SESSION_ID_LEGACY cookie. Monitor for SAML broker endpoint POST requests where the SAMLResponse contains a modified Assertion ID (ID attribute truncated by one character) alongside a retained ds:Signature node. ↗
- →The exploit manipulates XML structure by moving the ds:Signature node from the Assertion to immediately after the saml:Issuer element at the Response level, then injecting a modified unsigned Assertion. Detect SAML responses where a ds:Signature appears as a sibling of saml:Issuer at the Response level while a separate Assertion lacks a signature. ↗
- →The core flaw is in Keycloak's XMLSignatureUtil class: signature scope is determined by XML position rather than the Reference element. Flag any SAML response where the ds:Signature/ds:SignedInfo/ds:Reference URI does not match the ID of the top-level element containing the signature. ↗
- ·The Nuclei template requires a valid pre-authenticated SAMLResponse and its associated AUTH_SESSION_ID_LEGACY cookie and RelayState to be supplied as variables before execution — it does not generate these from scratch. ↗
- ·The exploit script requires Python with the lxml library pre-installed on the system running Nuclei. ↗
- ·Affected packages are org.keycloak/keycloak-saml-core-public in both Red Hat Build of Keycloak and Red Hat Single Sign-On 7. No mitigation meeting Red Hat's criteria is available; patching via the listed RHSAs is required. ↗
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
vendor_redhat7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
osv·2024-10-14
CVE-2024-8698 [HIGH] Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
GHSA
Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
ghsa·2024-10-14
CVE-2024-8698 [HIGH] CWE-347 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Red Hat
keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
vendor_redhat·2024-09-19·CVSS 7.7
CVE-2024-8698 [HIGH] CWE-347 keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for
No detection rules found.
Nuclei
Keycloak - SAML Core Package Signature Validation Flaw
nuclei·CVSS 7.7
CVE-2024-8698 [HIGH] Keycloak - SAML Core Package Signature Validation Flaw
Keycloak - SAML Core Package Signature Validation Flaw
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Template:
id: CVE-2024-8698
info:
name: Keycloak - SAML Core Package Signature Validation Flaw
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A flaw exists in the SAML signature validation method within the Keycloak X
https://access.redhat.com/errata/RHSA-2024:6878https://access.redhat.com/errata/RHSA-2024:6879https://access.redhat.com/errata/RHSA-2024:6880https://access.redhat.com/errata/RHSA-2024:6882https://access.redhat.com/errata/RHSA-2024:6886https://access.redhat.com/errata/RHSA-2024:6887https://access.redhat.com/errata/RHSA-2024:6888https://access.redhat.com/errata/RHSA-2024:6889https://access.redhat.com/errata/RHSA-2024:6890https://access.redhat.com/errata/RHSA-2024:8823https://access.redhat.com/errata/RHSA-2024:8824https://access.redhat.com/errata/RHSA-2024:8826https://access.redhat.com/security/cve/CVE-2024-8698https://bugzilla.redhat.com/show_bug.cgi?id=2311641
2024-09-19
Published