Red Hat Keycloak vulnerabilities

CVE-2017-2646 [HIGH] CWE-835 CVE-2017-2646: It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the midd It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.

CVE-2017-2582 [MEDIUM] CWE-201 CVE-2017-2582: It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which coul