Search for vulnerabilities
Vulnerability details: VCID-er4b-335e-xydr
Vulnerability ID VCID-er4b-335e-xydr
Aliases CVE-2017-2582
GHSA-c77r-6f64-478q
Summary keycloak-core discloses system properties It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-2582.json
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
epss 0.00663 https://api.first.org/data/v1/epss?cve=CVE-2017-2582
cvssv3.1 6.5 https://github.com/advisories/GHSA-c77r-6f64-478q
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-c77r-6f64-478q
generic_textual MODERATE https://github.com/advisories/GHSA-c77r-6f64-478q
cvssv2 4.0 https://nvd.nist.gov/vuln/detail/CVE-2017-2582
cvssv3 6.5 https://nvd.nist.gov/vuln/detail/CVE-2017-2582
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2017-2582
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2017-2582
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2017:2808
https://access.redhat.com/errata/RHSA-2017:2809
https://access.redhat.com/errata/RHSA-2017:2810
https://access.redhat.com/errata/RHSA-2017:2811
https://access.redhat.com/errata/RHSA-2018:2740
https://access.redhat.com/errata/RHSA-2018:2741
https://access.redhat.com/errata/RHSA-2018:2742
https://access.redhat.com/errata/RHSA-2018:2743
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-2582.json
https://api.first.org/data/v1/epss?cve=CVE-2017-2582
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582
https://github.com/advisories/GHSA-c77r-6f64-478q
https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237
https://nvd.nist.gov/vuln/detail/CVE-2017-2582
http://www.securityfocus.com/bid/101046
http://www.securitytracker.com/id/1041707
1410481 https://bugzilla.redhat.com/show_bug.cgi?id=1410481
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
RHSA-2017:3216 https://access.redhat.com/errata/RHSA-2017:3216
RHSA-2017:3217 https://access.redhat.com/errata/RHSA-2017:3217
RHSA-2017:3218 https://access.redhat.com/errata/RHSA-2017:3218
RHSA-2017:3219 https://access.redhat.com/errata/RHSA-2017:3219
RHSA-2017:3220 https://access.redhat.com/errata/RHSA-2017:3220
RHSA-2019:0136 https://access.redhat.com/errata/RHSA-2019:0136
RHSA-2019:0137 https://access.redhat.com/errata/RHSA-2019:0137
RHSA-2019:0139 https://access.redhat.com/errata/RHSA-2019:0139
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-2582.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/advisories/GHSA-c77r-6f64-478q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-2582
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-2582
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-2582
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.70276
EPSS Score 0.00663
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:54:54.689707+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c77r-6f64-478q/GHSA-c77r-6f64-478q.json 37.0.0