VDB
CVE-2018-10894
CVE-2018-10894
PUBLISHED
CVSS 5.4 MEDIUM
Reported by redhat · Published August 1, 2018
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
Risk Scores
CVSS 3.0
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | keycloak | 3.4.3.Final |
| Maven | org.keycloak:keycloak-services | 0, 0, 0 |
| Maven | org.keycloak:keycloak-core | 0, 0, 0 |
| Red Hat | keycloak | 3.4.3.Final, 3.4.3.Final, * |
| npm | keycloak-connect | 3.4.3, 3.4.3, 3.4.3 |
| Maven | org.keycloak:keycloak-saml-adapter-core | 0, 0, 0 |
Timeline
- Aug 1, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- RHSA-2018:3592 vendor-advisoryx_refsource_REDHAT
- RHSA-2018:3593 vendor-advisoryx_refsource_REDHAT
- RHSA-2018:3595 vendor-advisoryx_refsource_REDHAT
- x_refsource_CONFIRM
- RHSA-2019:0877 vendor-advisoryx_refsource_REDHAT
- https://nvd.nist.gov/vuln/detail/CVE-2018-10894 advisory
- https://github.com/advisories/GHSA-xvv8-8wh9-9fh2 advisory
- https://github.com/keycloak/keycloak/commit/812e76c39b1e693e8f11e5549cca2c90631f372e patch