Potential Keycloak vulnerability VUF-24089509 in DevTes 10.X

book

Article ID: 212083

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

Vulnerability Finding ID: VUF-24089509   Communication Date: 3/24/2021  
Vulnerability Finding Name: Keycloak broker/saml/SAMLEndpoint.java SAML Request Principal Type Handling Incomplete Backchannel Logout Local Weakness
Discussion: Keycloak broker/saml/SAMLEndpoint.java SAML Request Principal Type Handling Incomplete Backchannel Logout Local Weakness.
Keycloak contains a flaw in broker/saml/SAMLEndpoint.java that is triggered as backchannel logouts are not completed when handling logout requests from external SAML identity providers with a principal type set to attribute name.
This may allow an attacker with physical access to gain unauthorized access.
CVSS Score: 2.6
CVE-ID: CVE-2021-3461
Product: Red Hat [Keycloak (Unspecified)]

Environment

DevTest 10.6

Component : CA Service Virtualization

Resolution

It looks like the vulnerability is applicable only to SAML Identity Provider,
which we are not using. We are only using OpenID Connect 1.0 identity provider.

So, we are not vulnerable with this vulnerability.
For more reference, please refer https://bugzilla.redhat.com/show_bug.cgi?id=1941565