CVE - CVE-2017-2582

CVE-ID
CVE-2017-2582	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:101046 URL:http://www.securityfocus.com/bid/101046 MISC:1041707 URL:http://www.securitytracker.com/id/1041707 MISC:RHSA-2017:2808 URL:https://access.redhat.com/errata/RHSA-2017:2808 MISC:RHSA-2017:2809 URL:https://access.redhat.com/errata/RHSA-2017:2809 MISC:RHSA-2017:2810 URL:https://access.redhat.com/errata/RHSA-2017:2810 MISC:RHSA-2017:2811 URL:https://access.redhat.com/errata/RHSA-2017:2811 MISC:RHSA-2017:3216 URL:https://access.redhat.com/errata/RHSA-2017:3216 MISC:RHSA-2017:3217 URL:https://access.redhat.com/errata/RHSA-2017:3217 MISC:RHSA-2017:3218 URL:https://access.redhat.com/errata/RHSA-2017:3218 MISC:RHSA-2017:3219 URL:https://access.redhat.com/errata/RHSA-2017:3219 MISC:RHSA-2017:3220 URL:https://access.redhat.com/errata/RHSA-2017:3220 MISC:RHSA-2018:2740 URL:https://access.redhat.com/errata/RHSA-2018:2740 MISC:RHSA-2018:2741 URL:https://access.redhat.com/errata/RHSA-2018:2741 MISC:RHSA-2018:2742 URL:https://access.redhat.com/errata/RHSA-2018:2742 MISC:RHSA-2018:2743 URL:https://access.redhat.com/errata/RHSA-2018:2743 MISC:RHSA-2019:0136 URL:https://access.redhat.com/errata/RHSA-2019:0136 MISC:RHSA-2019:0137 URL:https://access.redhat.com/errata/RHSA-2019:0137 MISC:RHSA-2019:0139 URL:https://access.redhat.com/errata/RHSA-2019:0139 MISC:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582 URL:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582 MISC:https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237 URL:https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237
Assigning CNA
Red Hat, Inc.
Date Record Created
20161201	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20161201)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Site Map | Terms of Use | Privacy Policy | Contact Us | Follow CVE

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.