CVE-2018-14637

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

Published: Nov 30, 2018
Updated: May 9, 2024
CVE: CVE-2018-14637
GHSA: GHSA-gf2j-7qwg-4f5x
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-287
CWE-285

OWASP TOP 10:

A2 - Broken Authentication
A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
redhat / keycloak	-	4.6.0
org.keycloak / keycloak-core	-	4.6.0

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14637

Vulnerability Database

289,599

CVE-2018-14637