Keycloak insufficient session expiration

GHSA-cm29-6wx7-p874 · CVE-2021-3461

Published Apr 3, 2022 · Modified Feb 16, 2024

Description

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-3461
WEB https://github.com/keycloak/keycloak/issues/11203
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1941565

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes