CVE-2018-14637

Description

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

Unknown / keycloak4.6.0.Final – 4.6.0.Final

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14637