Vulnerability Finding ID: VUF-24089509 Communication Date: 3/24/2021
Vulnerability Finding Name: Keycloak broker/saml/SAMLEndpoint.java SAML Request Principal Type Handling Incomplete Backchannel Logout Local Weakness
Discussion: Keycloak broker/saml/SAMLEndpoint.java SAML Request Principal Type Handling Incomplete Backchannel Logout Local Weakness.
Keycloak contains a flaw in broker/saml/SAMLEndpoint.java that is triggered as backchannel logouts are not completed when handling logout requests from external SAML identity providers with a principal type set to attribute name.
This may allow an attacker with physical access to gain unauthorized access.
CVSS Score: 2.6
Product: Red Hat [Keycloak (Unspecified)]
Component : CA Service Virtualization
It looks like the vulnerability is applicable only to SAML Identity Provider,
which we are not using. We are only using OpenID Connect 1.0 identity provider.
So, we are not vulnerable with this vulnerability.
For more reference, please refer https://bugzilla.redhat.com/