Improper Verification of Cryptographic Signature Affecting org.keycloak:keycloak-saml-core package, versions [,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)

Q: How to fix?

Upgrade org.keycloak:keycloak-saml-core to version 22.0.13, 24.0.8, 25.0.6 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JAVA-ORGKEYCLOAK-8186520
published15 Oct 2024
disclosed14 Oct 2024
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 14 Oct 2024

CWE-347 (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-saml-core to version 22.0.13, 24.0.8, 25.0.6 or higher.

Overview

org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the flawed SAML signature validation method in the XMLSignatureUtil class. An attacker can escalate privileges or impersonate another user by crafting responses that bypass the validation process.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
Low
Availability (SA)
Low