CVE-2017-2582 : It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special str

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.

Published 2018-07-26 17:29:00

Updated 2019-01-23 11:29:01

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2017-2582

Probability of exploitation activity in the next 30 days: 0.18%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 55 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-2582

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	Red Hat, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-2582

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)
CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2017-2582

https://access.redhat.com/errata/RHSA-2019:0139

RHSA-2019:0139 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2017:2809

RHSA-2017:2809 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:2740

RHSA-2018:2740 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:2811

RHSA-2017:2811 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:2808

RHSA-2017:2808 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3217

RHSA-2017:3217 - Security Advisory - Red Hat Customer Portal
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2810

RHSA-2017:2810 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/101046

Picketlink and KeyCloak CVE-2017-2582 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2017:3218

RHSA-2017:3218 - Security Advisory - Red Hat Customer Portal
Vendor Advisory
https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237

KEYCLOAK-4160 by hmlnarik · Pull Request #3715 · keycloak/keycloak · GitHub
Patch;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582

1410481 – (CVE-2017-2582) CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
Issue Tracking;Patch;Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3216

RHSA-2017:3216 - Security Advisory - Red Hat Customer Portal
Vendor Advisory
http://www.securitytracker.com/id/1041707

Red Hat JBoss EAP Component Errors Let Remote Users Deny Service and Remote Authenticated Users Gain Potentially Sensitive Information - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3220

RHSA-2017:3220 - Security Advisory - Red Hat Customer Portal
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3219

RHSA-2017:3219 - Security Advisory - Red Hat Customer Portal
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2741

RHSA-2018:2741 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:2742

RHSA-2018:2742 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0136

RHSA-2019:0136 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2019:0137

RHSA-2019:0137 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2018:2743

RHSA-2018:2743 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2017-2582

Redhat » Jboss Enterprise Application Platform » Version: 6.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 5.0
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Jboss Enterprise Application Platform » Version: 6.4.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 5.0
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Jboss Enterprise Application Platform » Version: 7.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 5.0
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Jboss Enterprise Application Platform » Version: 7.1.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 5.0
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Keycloak
Versions before (<) 2.5.1
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-2582

Exploit prediction scoring system (EPSS) score for CVE-2017-2582

CVSS scores for CVE-2017-2582

CWE ids for CVE-2017-2582

References for CVE-2017-2582

Products affected by CVE-2017-2582