Denial of Service Vulnerability in Keycloak 2.5.5 and Earlier

Denial of Service Vulnerability in Keycloak 2.5.5 and Earlier

CVE-2017-2646 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:N/A:P

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.

Learn more about our Web Application Penetration Testing UK.