dev-mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Keycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-saml-core/1.8.1.Final/keycloak-saml-core-1.8.1.Final.jar,/app/target/verademo/WEB-INF/lib/keycloak-saml-core-1.8.1.Final.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-2646
### Vulnerable Library - keycloak-saml-core-1.8.1.Final.jarKeycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-saml-core/1.8.1.Final/keycloak-saml-core-1.8.1.Final.jar,/app/target/verademo/WEB-INF/lib/keycloak-saml-core-1.8.1.Final.jar
Dependency Hierarchy: - :x: **keycloak-saml-core-1.8.1.Final.jar** (Vulnerable Library)
Found in base branch: main
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsIt was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.
Publish Date: 2018-07-27
URL: CVE-2017-2646
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-2646
Release Date: 2018-07-27
Fix Resolution: 2.5.5.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-2582
### Vulnerable Library - keycloak-saml-core-1.8.1.Final.jarKeycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-saml-core/1.8.1.Final/keycloak-saml-core-1.8.1.Final.jar,/app/target/verademo/WEB-INF/lib/keycloak-saml-core-1.8.1.Final.jar
Dependency Hierarchy: - :x: **keycloak-saml-core-1.8.1.Final.jar** (Vulnerable Library)
Found in base branch: main
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsIt was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Publish Date: 2018-07-26
URL: CVE-2017-2582
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2582
Release Date: 2018-07-26
Fix Resolution: 2.5.1.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.