Keycloak vulnerable to infinite loop based Denial of Service

GHSA-jc6q-27mw-p55w · CVE-2017-2646

Published Oct 18, 2018 · Modified Nov 8, 2023

Description

When Keycloak versions prior to 2.5.5 receive a Logout request with an Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-2646
ADVISORY https://github.com/advisories/GHSA-jc6q-27mw-p55w
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes