CVE-2017-2646 – org.keycloak:keycloak-core

Package

Manager: maven
Name: org.keycloak:keycloak-core
Vulnerable Version: >=0 <2.5.5

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00503 pctl0.65079

Details

Keycloak vulnerable to infinite loop based Denial of Service When Keycloak versions prior to 2.5.5 receive a Logout request with an Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks.

Metadata

Created: 2018-10-18T16:49:29Z
Modified: 2022-09-13T23:31:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jc6q-27mw-p55w/GHSA-jc6q-27mw-p55w.json
CWE IDs: ["CWE-835"]
Alternative ID: GHSA-jc6q-27mw-p55w
Finding: F138
Auto approve: 1