NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2024-8698

Summary	A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Publication Date	Sept. 20, 2024, 1:15 a.m.
Registration Date	Sept. 20, 2024, 5 a.m.
Last Update	Nov. 5, 2024, 1:15 p.m.

CVSS3.1 : HIGH
スコア	7.7
Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更あり
機密性への影響(C)	高
完全性への影響(I)	低
可用性への影響(A)	低

Related information, measures and tools

No	URL	refsource	タグ
1	https://access.redhat.com/security/cve/CVE-2024-8698
2	https://bugzilla.redhat.com/show_bug.cgi?id=2311641
3	https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415
4	https://access.redhat.com/errata/RHSA-2024:6878
5	https://access.redhat.com/errata/RHSA-2024:6879
6	https://access.redhat.com/errata/RHSA-2024:6880
7	https://access.redhat.com/errata/RHSA-2024:6882
8	https://access.redhat.com/errata/RHSA-2024:6886
9	https://access.redhat.com/errata/RHSA-2024:6887
10	https://access.redhat.com/errata/RHSA-2024:6888
11	https://access.redhat.com/errata/RHSA-2024:6889
12	https://access.redhat.com/errata/RHSA-2024:6890
13	https://access.redhat.com/errata/RHSA-2024:8823
14	https://access.redhat.com/errata/RHSA-2024:8824
15	https://access.redhat.com/errata/RHSA-2024:8826

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-347	デジタル署名の不適切な検証	https://cwe.mitre.org/data/definitions/347.html