VulnerableCode Package Details - pkg:maven/org.keycloak/keycloak-saml-core@19.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-dd3n-vx2q-b3b8 Aliases: GHSA-q2gp-gph3-88x9	Keycloak allows arbitrary Javascript to be uploaded for SAML protocol mapper even if UPLOAD_SCRIPTS feature disabled ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-wf7g-7h6h-678v](https://github.com/advisories/GHSA-wf7g-7h6h-678v). This link is maintained to preserve external references. ## Original Description An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.	There are no reported fixed by versions.
VCID-qcj1-m1ga-9qh1 Aliases: GHSA-4xx7-2cx3-x473	Duplicate Advisory: Keycloak SAML signature validation flaw # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgfv-xpx8-qhcr. This link is maintained to preserve external references. # Original Description A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.	25.0.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xd7x-aevv-cfcp Aliases: CVE-2026-2575 GHSA-xv6h-r36f-3gp5	Keycloak: Denial of Service due to excessive SAMLRequest decompression A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.	26.5.4 Affected by 0 other vulnerabilities.
VCID-z76m-nbap-v7ab Aliases: CVE-2024-8698 GHSA-xgfv-xpx8-qhcr	Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.	22.0.13 Affected by 0 other vulnerabilities. 24.0.8 Affected by 0 other vulnerabilities. 25.0.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-dd3n-vx2q-b3b8
Aliases:
GHSA-q2gp-gph3-88x9

Keycloak allows arbitrary Javascript to be uploaded for SAML protocol mapper even if UPLOAD_SCRIPTS feature disabled ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-wf7g-7h6h-678v](https://github.com/advisories/GHSA-wf7g-7h6h-678v). This link is maintained to preserve external references. ## Original Description An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.

There are no reported fixed by versions.

VCID-qcj1-m1ga-9qh1
Aliases:
GHSA-4xx7-2cx3-x473

Duplicate Advisory: Keycloak SAML signature validation flaw # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgfv-xpx8-qhcr. This link is maintained to preserve external references. # Original Description A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

25.0.6
Affected by 1 other vulnerability.

VCID-xd7x-aevv-cfcp
Aliases:
CVE-2026-2575
GHSA-xv6h-r36f-3gp5

Keycloak: Denial of Service due to excessive SAMLRequest decompression A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

26.5.4
Affected by 0 other vulnerabilities.

VCID-z76m-nbap-v7ab
Aliases:
CVE-2024-8698
GHSA-xgfv-xpx8-qhcr

Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

22.0.13
Affected by 0 other vulnerabilities.

24.0.8
Affected by 0 other vulnerabilities.

25.0.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:27:58.123291+00:00	GitLab Importer	Affected by	VCID-xd7x-aevv-cfcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2026-2575.yml	38.5.0
2026-04-29T21:52:56.852295+00:00	GitLab Importer	Affected by	VCID-z76m-nbap-v7ab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2024-8698.yml	38.5.0
2026-04-29T21:50:20.946651+00:00	GitLab Importer	Affected by	VCID-qcj1-m1ga-9qh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GHSA-4xx7-2cx3-x473.yml	38.5.0
2026-04-19T18:07:47.099762+00:00	GitLab Importer	Affected by	VCID-xd7x-aevv-cfcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2026-2575.yml	38.4.0
2026-04-16T23:11:41.462671+00:00	GitLab Importer	Affected by	VCID-z76m-nbap-v7ab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2024-8698.yml	38.4.0
2026-04-16T23:09:11.482016+00:00	GitLab Importer	Affected by	VCID-qcj1-m1ga-9qh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GHSA-4xx7-2cx3-x473.yml	38.4.0
2026-04-12T00:30:06.160984+00:00	GitLab Importer	Affected by	VCID-z76m-nbap-v7ab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2024-8698.yml	38.3.0
2026-04-12T00:27:25.384680+00:00	GitLab Importer	Affected by	VCID-qcj1-m1ga-9qh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GHSA-4xx7-2cx3-x473.yml	38.3.0
2026-04-03T00:37:46.030082+00:00	GitLab Importer	Affected by	VCID-z76m-nbap-v7ab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2024-8698.yml	38.1.0
2026-04-03T00:35:06.619657+00:00	GitLab Importer	Affected by	VCID-qcj1-m1ga-9qh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GHSA-4xx7-2cx3-x473.yml	38.1.0
2026-04-01T16:02:55.588664+00:00	GHSA Importer	Affected by	VCID-dd3n-vx2q-b3b8	https://github.com/advisories/GHSA-q2gp-gph3-88x9	38.0.0