Improper Verification of Cryptographic Signature Affecting org.keycloak:keycloak-saml-core package, versions [,22.0.13) [23.0.0,24.0.8) [25.0.0,25.0.6)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGKEYCLOAK-8186520
- published 15 Oct 2024
- disclosed 14 Oct 2024
- credit Unknown
How to fix?
Upgrade org.keycloak:keycloak-saml-core to version 22.0.13, 24.0.8, 25.0.6 or higher.
Overview
org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the flawed SAML signature validation method in the XMLSignatureUtil class. An attacker can escalate privileges or impersonate another user by crafting responses that bypass the validation process.