VDB
KO
MEDIUM 5.3

GHSA-fqjh-8322-vgrv

Keycloak Generates an Error Message Containing Sensitive Information

Details

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.keycloak:keycloak-services
Introduced in: 0

No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.

Maven / org.keycloak:keycloak-services
Introduced in: 26.5.0 Fixed in: 26.6.3
Fix # pom.xml: bump <version>26.6.3</version> for org.keycloak:keycloak-services

References