ArchLinuxASA-202106-19[ASA-202106-19] keycloak: incorrect calculation
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
25.4%
Arch Linux Security Advisory ASA-202106-19
Severity: Low
Date : 2021-06-01
CVE-ID : CVE-2021-3461
Package : keycloak
Type : incorrect calculation
Remote : Yes
Link : https://security.archlinux.org/AVG-1994
Summary
The package keycloak before version 13.0.1-1 is vulnerable to incorrect
calculation.
Resolution
Upgrade to 13.0.1-1.
pacman -Syu “keycloak>=13.0.1-1”
The problem has been fixed upstream in version 13.0.1.
Workaround
None.
Description
Keycloak may fail to logout a user session if the logout request comes
from an external SAML identity provider that is set up to identify the
principal via attributes rather than by Subject Name ID.
Impact
A remote attacker could take over a logged out user session if they
manage to obtain the old session token.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1941565
https://issues.redhat.com/browse/KEYCLOAK-17495
https://github.com/keycloak/keycloak/commit/f014299e7c781dff2b492b81bc81adcf717bd530
https://security.archlinux.org/CVE-2021-3461
Related
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
25.4%