org.keycloak:keycloak-saml-core 1.5.0-Final vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-saml-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-saml-core` to version 26.0.8 or higher.	[,26.0.8)
M Improper Verification of Cryptographic Signature org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the flawed SAML signature validation method in the `XMLSignatureUtil` class. An attacker can escalate privileges or impersonate another user by crafting responses that bypass the validation process. How to fix Improper Verification of Cryptographic Signature? Upgrade `org.keycloak:keycloak-saml-core` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)
M Improper Verification of Cryptographic Signature org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature improper validation logic in the signature validation method, which relies on the position of signatures rather than explicitly checking the referenced elements. An attacker can escalate privileges or impersonate another user by crafting responses that bypass the signature validation. This facilitates unauthorized access to high-privileged accounts in SAML-based identity providers and service providers. How to fix Improper Verification of Cryptographic Signature? Upgrade `org.keycloak:keycloak-saml-core` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)
H Arbitrary Code Execution org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak. Affected versions of this package are vulnerable to Arbitrary Code Execution. It allows arbitrary Javascript to be uploaded for SAML protocol mapper even if UPLOAD_SCRIPTS feature disabled. An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. How to fix Arbitrary Code Execution? Upgrade `org.keycloak:keycloak-saml-core` to version 19.0.2 or higher.	[,19.0.2)
M Information Exposure org.keycloak:keycloak-saml-core is an Open Source Identity and Access Management For Modern Applications and Services. Affected versions of this package are vulnerable to Information Exposure. While parsing `SAML` messages, the `StaxParserUtil` class replaced special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the `SAML` request ID field to be the chosen system property which could be obtained in the `InResponseTo` field in the response. How to fix Information Exposure? Upgrade `org.keycloak:keycloak-saml-core` to version 2.5.1 or higher.	[,2.5.1.Final)
M Information Exposure `org.keycloak:keycloak-saml-core` is an open Source Identity and Access Management for modern Applications and Services. Affected versions of the package are vulnerable to Information Exposure. In certain cases, the SAML request parser replaces special strings with system properties. How to fix Information Exposure? Upgrade `org.keycloak:keycloak-saml-core` to version 2.5.1.Final or higher.	[,2.5.1.Final)
H Denial of Service (DoS) `org.keycloak:keycloak-saml-core` Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. It mishandles `Logout` requests that contain an `Extension` element, which triggers an infinite loop.	[1.2.0.Final,2.5.5.Final)

Vulnerability

Vulnerable Version

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-saml-core to version 26.0.8 or higher.

[,26.0.8)

Improper Verification of Cryptographic Signature

org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the flawed SAML signature validation method in the XMLSignatureUtil class. An attacker can escalate privileges or impersonate another user by crafting responses that bypass the validation process.

How to fix Improper Verification of Cryptographic Signature?

Upgrade org.keycloak:keycloak-saml-core to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)

Improper Verification of Cryptographic Signature

org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature improper validation logic in the signature validation method, which relies on the position of signatures rather than explicitly checking the referenced elements. An attacker can escalate privileges or impersonate another user by crafting responses that bypass the signature validation. This facilitates unauthorized access to high-privileged accounts in SAML-based identity providers and service providers.

How to fix Improper Verification of Cryptographic Signature?

Upgrade org.keycloak:keycloak-saml-core to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)

Arbitrary Code Execution

org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It allows arbitrary Javascript to be uploaded for SAML protocol mapper even if UPLOAD_SCRIPTS feature disabled. An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.

How to fix Arbitrary Code Execution?

Upgrade org.keycloak:keycloak-saml-core to version 19.0.2 or higher.

[,19.0.2)

Information Exposure

org.keycloak:keycloak-saml-core is an Open Source Identity and Access Management For Modern Applications and Services.

Affected versions of this package are vulnerable to Information Exposure. While parsing SAML messages, the StaxParserUtil class replaced special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the InResponseTo field in the response.

How to fix Information Exposure?

Upgrade org.keycloak:keycloak-saml-core to version 2.5.1 or higher.

[,2.5.1.Final)

Information Exposure

org.keycloak:keycloak-saml-core is an open Source Identity and Access Management for modern Applications and Services.

Affected versions of the package are vulnerable to Information Exposure. In certain cases, the SAML request parser replaces special strings with system properties.

How to fix Information Exposure?

Upgrade org.keycloak:keycloak-saml-core to version 2.5.1.Final or higher.

[,2.5.1.Final)

Denial of Service (DoS)

org.keycloak:keycloak-saml-core Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. It mishandles Logout requests that contain an Extension element, which triggers an infinite loop.

[1.2.0.Final,2.5.5.Final)

org.keycloak:keycloak-saml-core@1.5.0-Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?