VulnerableCode Package Details - pkg:maven/org.keycloak/keycloak-saml-core@1.5.0-Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-khfn-ze7d-5fd5 Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098	ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.	18.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-pdcw-p5d6-ubgd Aliases: GHSA-4xx7-2cx3-x473	Duplicate Advisory: Keycloak SAML signature validation flaw # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgfv-xpx8-qhcr. This link is maintained to preserve external references. # Original Description A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.	25.0.6 Affected by 0 other vulnerabilities.
VCID-ru9h-j213-rbf7 Aliases: CVE-2024-8698 GHSA-xgfv-xpx8-qhcr	Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.	22.0.13 Affected by 0 other vulnerabilities. 24.0.8 Affected by 0 other vulnerabilities. 25.0.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-khfn-ze7d-5fd5
Aliases:
CVE-2021-3827
GHSA-4pc7-vqv5-5r3v
GMS-2022-1098

ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.

18.0.0
Affected by 2 other vulnerabilities.

VCID-pdcw-p5d6-ubgd
Aliases:
GHSA-4xx7-2cx3-x473

Duplicate Advisory: Keycloak SAML signature validation flaw # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgfv-xpx8-qhcr. This link is maintained to preserve external references. # Original Description A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

25.0.6
Affected by 0 other vulnerabilities.

VCID-ru9h-j213-rbf7
Aliases:
CVE-2024-8698
GHSA-xgfv-xpx8-qhcr

Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

22.0.13
Affected by 0 other vulnerabilities.

24.0.8
Affected by 0 other vulnerabilities.

25.0.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T11:59:21.054886+00:00	GitLab Importer	Affected by	VCID-ru9h-j213-rbf7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GHSA-xgfv-xpx8-qhcr.yml	37.0.0
2025-08-01T11:59:17.332951+00:00	GitLab Importer	Affected by	VCID-ru9h-j213-rbf7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2024-8698.yml	37.0.0
2025-08-01T11:56:31.654914+00:00	GitLab Importer	Affected by	VCID-pdcw-p5d6-ubgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GHSA-4xx7-2cx3-x473.yml	37.0.0
2025-08-01T10:21:15.360015+00:00	GitLab Importer	Affected by	VCID-khfn-ze7d-5fd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/GMS-2022-1098.yml	37.0.0