CVE: 2017-2582 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Keycloak SAML Core
Description	Keycloak SSO
Language	JAVA
Vulnerability	Information Disclosure
Vulnerability description	keycloak-saml-core is vulnerable to sensitive information disclosure. The attack exists because SAML messages are being parsed by replacing the string to obtain the attribute values with the system property in StaxParserUtil class. Therefore, attacker can just parse the chosen system property name through the SAML request ID field and can get the response with system property value in InResponseTo filed .
CVE	2017-2582
CVSS score	4
Vulnerability present in version/s	1.2.0.CR1-2.5.0.Final
Found library version/s	1.8.1.Final
Vulnerability fixed in version	2.5.1.Final
Library latest version	23.0.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/379321?version=1.8.1.Final
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/5177
• Patch: https://github.com/keycloak/keycloak/commit/0cb5ba0f6e83162d221681f47b470c3042eef237

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54