Main Vulnerability Database SB2018113010

SB2018113010 - Improper Authentication in Keycloak

Published: November 30, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018113010

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2018-14637)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

Remediation

Install update from vendor's website.

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14637