一、 漏洞 CVE-2024-8698 基础信息
漏洞信息
                                        # Keycloak-saml-core:对saml响应验证不当导致keycloak权限提升

## 漏洞概述
Keycloak中的XMLSignatureUtil类在验证SAML签名时存在缺陷,该缺陷基于错误的位置判断签名适用范围,可能导致签名验证被绕过。

## 影响版本
未指定具体版本。

## 细节
Keycloak中的XMLSignatureUtil类在验证SAML签名时,错误地根据签名在XML文档中的位置来确定签名是针对整个文档还是特定断言。这并非通过Signature元素中指定的Reference元素来判断。利用该缺陷,攻击者可以创建特定的响应,使验证过程失效。

## 影响
该漏洞可能导致验证过程被绕过,进而引起权限提升或冒充攻击。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak
来源:美国国家漏洞数据库 NVD
漏洞描述信息
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
来源:美国国家漏洞数据库 NVD
漏洞类别
密码学签名的验证不恰当
来源:美国国家漏洞数据库 NVD
漏洞标题
Red Hat Keycloak 数据伪造问题漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Red Hat Keycloak是美国红帽(Red Hat)公司的一套为现代应用和服务提供身份验证和管理功能的软件。 Red Hat Keycloak 25.0.6之前版本存在数据伪造问题漏洞,该漏洞源于SAML签名验证方法存在缺陷,允许攻击者创建可以绕过验证的精心设计的响应,从而导致权限提升或冒充攻击。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-8698 的公开POC
# POC 描述 源链接 神龙链接
1 i'm noob with saml and keycloak . J4f https://github.com/huydoppaz/CVE-2024-8698-POC POC详情
2 A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8698.yaml POC详情
三、漏洞 CVE-2024-8698 的情报信息

  • 标题: CVE-2024-8698 - Red Hat Customer Portal -- 🔗来源链接

    标签: vdb-entry x_refsource_REDHAT

    CVE-2024-8698 - Red Hat Customer Portal

  • 标题: keycloak/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java at main · keycloak/keycloak · GitHub -- 🔗来源链接

    标签:

    keycloak/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java at main · keycloak/keycloak · GitHub

  • 标题: 2311641 – (CVE-2024-8698) CVE-2024-8698 keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak -- 🔗来源链接

    标签: issue-tracking x_refsource_REDHAT

    神龙速读
    2311641 – (CVE-2024-8698) CVE-2024-8698 keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak

  • 标题: RHSA-2024:6878 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6878 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6879 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6879 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6880 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6880 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6882 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6882 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6886 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6886 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6887 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6887 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6888 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6888 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6889 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6889 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:6890 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:6890 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:8823 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:8823 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:8824 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:8824 - Security Advisory - Red Hat Customer Portal

  • 标题: RHSA-2024:8826 - Security Advisory - Red Hat Customer Portal -- 🔗来源链接

    标签: vendor-advisory x_refsource_REDHAT

    神龙速读
    RHSA-2024:8826 - Security Advisory - Red Hat Customer Portal
  • https://nvd.nist.gov/vuln/detail/CVE-2024-8698