Description
It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Remediation
References
http://www.securityfocus.com/bid/101046
http://www.securitytracker.com/id/1041707
https://access.redhat.com/errata/RHSA-2017:2808
https://access.redhat.com/errata/RHSA-2017:2809
https://access.redhat.com/errata/RHSA-2017:2810
https://access.redhat.com/errata/RHSA-2017:2811
https://access.redhat.com/errata/RHSA-2017:3216
https://access.redhat.com/errata/RHSA-2017:3217
https://access.redhat.com/errata/RHSA-2017:3218
https://access.redhat.com/errata/RHSA-2017:3219
https://access.redhat.com/errata/RHSA-2017:3220
https://access.redhat.com/errata/RHSA-2018:2740
https://access.redhat.com/errata/RHSA-2018:2741
https://access.redhat.com/errata/RHSA-2018:2742
https://access.redhat.com/errata/RHSA-2018:2743
https://access.redhat.com/errata/RHSA-2019:0136
https://access.redhat.com/errata/RHSA-2019:0137
https://access.redhat.com/errata/RHSA-2019:0139
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582
https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237
Related Vulnerabilities
CVE-2023-40815 Vulnerability in maven package org.opencrx:opencrx-core-models
CVE-2019-1003044 Vulnerability in maven package org.jenkins-ci.plugins:slack
CVE-2020-6506 Vulnerability in npm package react-native-webview
CVE-2018-1000013 Vulnerability in maven package org.jenkins-ci.plugins:release
CVE-2020-2163 Vulnerability in maven package org.jenkins-ci.main:jenkins-core