CVE-2024-8698 - Vulnerability Details

CVE-2024-8698 - Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Build Keycloak Jboss Enterprise Application Platform Red Hat Single Sign On Rhosemc

No data.

Package	CPE	Advisory	Released Date
Red Hat Build of Keycloak
	cpe:/a:redhat:build_keycloak:22	RHSA-2024:6888	2024-09-19T00:00:00Z
org.keycloak/keycloak-saml-core	cpe:/a:redhat:build_keycloak:24	RHSA-2024:6890	2024-09-19T00:00:00Z
Red Hat build of Keycloak 22
rhbk/keycloak-operator-bundle:22.0.13-1	cpe:/a:redhat:build_keycloak:22::el9	RHSA-2024:6887	2024-09-19T00:00:00Z
rhbk/keycloak-rhel9:22-18	cpe:/a:redhat:build_keycloak:22::el9	RHSA-2024:6887	2024-09-19T00:00:00Z
rhbk/keycloak-rhel9-operator:22-21	cpe:/a:redhat:build_keycloak:22::el9	RHSA-2024:6887	2024-09-19T00:00:00Z
Red Hat build of Keycloak 24
rhbk/keycloak-operator-bundle:24.0.8-1	cpe:/a:redhat:build_keycloak:24::el9	RHSA-2024:6889	2024-09-19T00:00:00Z
rhbk/keycloak-rhel9:24-17	cpe:/a:redhat:build_keycloak:24::el9	RHSA-2024:6889	2024-09-19T00:00:00Z
rhbk/keycloak-rhel9-operator:24-17	cpe:/a:redhat:build_keycloak:24::el9	RHSA-2024:6889	2024-09-19T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
org.keycloak/keycloak-saml-core	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:8826	2024-11-04T00:00:00Z
org.keycloak/keycloak-saml-core-public	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:8826	2024-11-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hppc-0:0.8.1-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jctools-0:4.0.2-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-log4j-0:2.22.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-slf4j-0:2.0.16-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hppc-0:0.8.1-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jctools-0:4.0.2-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-log4j-0:2.22.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-slf4j-0:2.0.16-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
Red Hat Single Sign-On 7
org.keycloak/keycloak-saml-core	cpe:/a:redhat:red_hat_single_sign_on:7.6	RHSA-2024:6886	2024-09-19T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2024:6878	2024-09-19T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2024:6879	2024-09-19T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2024:6880	2024-09-19T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-54	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2024:6882	2024-09-19T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:6878
https://access.redhat.com/errata/RHSA-2024:6879
https://access.redhat.com/errata/RHSA-2024:6880
https://access.redhat.com/errata/RHSA-2024:6882
https://access.redhat.com/errata/RHSA-2024:6886
https://access.redhat.com/errata/RHSA-2024:6887
https://access.redhat.com/errata/RHSA-2024:6888
https://access.redhat.com/errata/RHSA-2024:6889
https://access.redhat.com/errata/RHSA-2024:6890
https://access.redhat.com/errata/RHSA-2024:8823
https://access.redhat.com/errata/RHSA-2024:8824
https://access.redhat.com/errata/RHSA-2024:8826
https://access.redhat.com/security/cve/CVE-2024-8698
https://bugzilla.redhat.com/show_bug.cgi?id=2311641
https://nvd.nist.gov/vuln/detail/CVE-2024-8698
https://www.cve.org/CVERecord?id=CVE-2024-8698

History

Fri, 13 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
References	https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415

Tue, 05 Nov 2024 03:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:jboss_enterprise_application_platform:8~~	cpe:/a:redhat:jboss_enterprise_application_platform:8.0 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
References		https://access.redhat.com/errata/RHSA-2024:8823 https://access.redhat.com/errata/RHSA-2024:8824 https://access.redhat.com/errata/RHSA-2024:8826

Thu, 19 Sep 2024 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhosemc
CPEs		cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:22::el9 cpe:/a:redhat:build_keycloak:24 cpe:/a:redhat:build_keycloak:24::el9 cpe:/a:redhat:red_hat_single_sign_on:7.6 cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products		Redhat rhosemc
References		https://access.redhat.com/errata/RHSA-2024:6878 https://access.redhat.com/errata/RHSA-2024:6879 https://access.redhat.com/errata/RHSA-2024:6880 https://access.redhat.com/errata/RHSA-2024:6882 https://access.redhat.com/errata/RHSA-2024:6886 https://access.redhat.com/errata/RHSA-2024:6887 https://access.redhat.com/errata/RHSA-2024:6888 https://access.redhat.com/errata/RHSA-2024:6889 https://access.redhat.com/errata/RHSA-2024:6890

Thu, 19 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8698 https://www.cve.org/CVERecord?id=CVE-2024-8698
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 19 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Title		Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak
First Time appeared		Redhat Redhat build Keycloak Redhat jboss Enterprise Application Platform Redhat red Hat Single Sign On
Weaknesses		CWE-347
CPEs		cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products		Redhat Redhat build Keycloak Redhat jboss Enterprise Application Platform Redhat red Hat Single Sign On
References		https://access.redhat.com/security/cve/CVE-2024-8698 https://bugzilla.redhat.com/show_bug.cgi?id=2311641 https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-09-19T15:48:18.464Z

Updated: 2024-12-13T14:15:19.702Z

Reserved: 2024-09-11T12:55:53.092Z

Link: CVE-2024-8698

Vulnrichment

Updated: 2024-09-19T17:57:02.926Z

NVD

Status : Awaiting Analysis

Published: 2024-09-19T16:15:06.177

Modified: 2024-12-12T20:15:22.150

Link: CVE-2024-8698

Redhat

Severity : Important

Publid Date: 2024-09-19T15:12:00Z

Links: CVE-2024-8698 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8698", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-11T12:55:53.092Z", "datePublished": "2024-09-19T15:48:18.464Z", "dateUpdated": "2024-12-13T14:15:19.702Z"}, "containers": {"cna": {"title": "Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "25.0.5", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:build_keycloak:22"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-saml-core", "cpes": ["cpe:/a:redhat:build_keycloak:24"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "22.0.13-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "22-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "22-21", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "24.0.8-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:24::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "24-17", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:24::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "24-17", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:24::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-saml-core", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-saml-core-public", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-activemq-artemis", "defaultStatus": "affected", "versions": [{"version": "0:2.33.0-1.redhat_00015.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-activemq-artemis-native", "defaultStatus": "affected", "versions": [{"version": "1:2.0.0-2.redhat_00005.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-aesh-extensions", "defaultStatus": "affected", "versions": [{"version": "0:1.8.0-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-aesh-readline", "defaultStatus": "affected", "versions": [{"version": "0:2.2.0-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-codec", "defaultStatus": "affected", "versions": [{"version": "0:1.16.1-2.redhat_00007.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-collections", "defaultStatus": "affected", "versions": [{"version": "0:3.2.2-28.redhat_2.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-io", "defaultStatus": "affected", "versions": [{"version": "0:2.15.1-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-lang", "defaultStatus": "affected", "versions": [{"version": "0:3.14.0-2.redhat_00006.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-cxf", "defaultStatus": "affected", "versions": [{"version": "0:4.0.5-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-artemis-native", "defaultStatus": "affected", "versions": [{"version": "1:2.0.0-2.redhat_00005.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-artemis-wildfly-integration", "defaultStatus": "affected", "versions": [{"version": "0:2.0.1-1.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-asyncutil", "defaultStatus": "affected", "versions": [{"version": "0:0.1.0-2.redhat_00010.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-aws-java-sdk", "defaultStatus": "affected", "versions": [{"version": "0:1.12.284-2.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-cryptacular", "defaultStatus": "affected", "versions": [{"version": "0:1.2.5-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-eap-product-conf-parent", "defaultStatus": "affected", "versions": [{"version": "0:800.4.0-1.GA_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-fastinfoset", "defaultStatus": "affected", "versions": [{"version": "0:2.1.0-4.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-hibernate", "defaultStatus": "affected", "versions": [{"version": "0:6.2.31-1.Final_redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-hibernate-validator", "defaultStatus": "affected", "versions": [{"version": "0:8.0.1-3.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-hppc", "defaultStatus": "affected", "versions": [{"version": "0:0.8.1-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-insights-java-client", "defaultStatus": "affected", "versions": [{"version": "0:1.1.3-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jakarta-servlet-jsp-jstl-api", "defaultStatus": "affected", "versions": [{"version": "0:3.0.1-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jboss-cert-helper", "defaultStatus": "affected", "versions": [{"version": "0:1.1.3-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jboss-logging", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-1.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jctools", "defaultStatus": "affected", "versions": [{"version": "0:4.0.2-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jgroups", "defaultStatus": "affected", "versions": [{"version": "0:5.3.10-1.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-log4j", "defaultStatus": "affected", "versions": [{"version": "0:2.22.1-1.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-narayana", "defaultStatus": "affected", "versions": [{"version": "0:6.0.3-1.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-nimbus-jose-jwt", "defaultStatus": "affected", "versions": [{"version": "0:9.37.3-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-objectweb-asm", "defaultStatus": "affected", "versions": [{"version": "0:9.6.0-1.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-pem-keystore", "defaultStatus": "affected", "versions": [{"version": "0:2.3.0-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-resteasy-extensions", "defaultStatus": "affected", "versions": [{"version": "0:2.0.1-3.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-resteasy-spring", "defaultStatus": "affected", "versions": [{"version": "0:3.0.1-2.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-saaj-impl", "defaultStatus": "affected", "versions": [{"version": "0:3.0.4-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-shibboleth-java-support", "defaultStatus": "affected", "versions": [{"version": "0:8.0.0-6.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-slf4j", "defaultStatus": "affected", "versions": [{"version": "0:2.0.16-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-snakeyaml", "defaultStatus": "affected", "versions": [{"version": "0:2.2.0-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:8.0.4-2.GA_redhat_00005.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-activemq-artemis", "defaultStatus": "affected", "versions": [{"version": "0:2.33.0-1.redhat_00015.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-activemq-artemis-native", "defaultStatus": "affected", "versions": [{"version": "1:2.0.0-2.redhat_00005.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-aesh-extensions", "defaultStatus": "affected", "versions": [{"version": "0:1.8.0-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-aesh-readline", "defaultStatus": "affected", "versions": [{"version": "0:2.2.0-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-codec", "defaultStatus": "affected", "versions": [{"version": "0:1.16.1-2.redhat_00007.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-collections", "defaultStatus": "affected", "versions": [{"version": "0:3.2.2-28.redhat_2.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-io", "defaultStatus": "affected", "versions": [{"version": "0:2.15.1-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-commons-lang", "defaultStatus": "affected", "versions": [{"version": "0:3.14.0-2.redhat_00006.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-apache-cxf", "defaultStatus": "affected", "versions": [{"version": "0:4.0.5-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-artemis-native", "defaultStatus": "affected", "versions": [{"version": "1:2.0.0-2.redhat_00005.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-artemis-wildfly-integration", "defaultStatus": "affected", "versions": [{"version": "0:2.0.1-1.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-asyncutil", "defaultStatus": "affected", "versions": [{"version": "0:0.1.0-2.redhat_00010.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-aws-java-sdk", "defaultStatus": "affected", "versions": [{"version": "0:1.12.284-2.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-cryptacular", "defaultStatus": "affected", "versions": [{"version": "0:1.2.5-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-eap-product-conf-parent", "defaultStatus": "affected", "versions": [{"version": "0:800.4.0-1.GA_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-fastinfoset", "defaultStatus": "affected", "versions": [{"version": "0:2.1.0-4.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-hibernate", "defaultStatus": "affected", "versions": [{"version": "0:6.2.31-1.Final_redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-hibernate-validator", "defaultStatus": "affected", "versions": [{"version": "0:8.0.1-3.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-hppc", "defaultStatus": "affected", "versions": [{"version": "0:0.8.1-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-insights-java-client", "defaultStatus": "affected", "versions": [{"version": "0:1.1.3-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jakarta-servlet-jsp-jstl-api", "defaultStatus": "affected", "versions": [{"version": "0:3.0.1-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jboss-cert-helper", "defaultStatus": "affected", "versions": [{"version": "0:1.1.3-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jboss-logging", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-1.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jctools", "defaultStatus": "affected", "versions": [{"version": "0:4.0.2-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-jgroups", "defaultStatus": "affected", "versions": [{"version": "0:5.3.10-1.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-log4j", "defaultStatus": "affected", "versions": [{"version": "0:2.22.1-1.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-narayana", "defaultStatus": "affected", "versions": [{"version": "0:6.0.3-1.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-nimbus-jose-jwt", "defaultStatus": "affected", "versions": [{"version": "0:9.37.3-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-objectweb-asm", "defaultStatus": "affected", "versions": [{"version": "0:9.6.0-1.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-pem-keystore", "defaultStatus": "affected", "versions": [{"version": "0:2.3.0-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-resteasy-extensions", "defaultStatus": "affected", "versions": [{"version": "0:2.0.1-3.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-resteasy-spring", "defaultStatus": "affected", "versions": [{"version": "0:3.0.1-2.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-saaj-impl", "defaultStatus": "affected", "versions": [{"version": "0:3.0.4-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-shibboleth-java-support", "defaultStatus": "affected", "versions": [{"version": "0:8.0.0-6.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-slf4j", "defaultStatus": "affected", "versions": [{"version": "0:2.0.16-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-snakeyaml", "defaultStatus": "affected", "versions": [{"version": "0:2.2.0-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:8.0.4-2.GA_redhat_00005.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-saml-core", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.18-1.redhat_00001.1.el7sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.18-1.redhat_00001.1.el8sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.18-1.redhat_00001.1.el9sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso76-openshift-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.6-54", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.keycloak/keycloak-saml-core-public", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.keycloak/keycloak-saml-core-public", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6878", "name": "RHSA-2024:6878", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6879", "name": "RHSA-2024:6879", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6880", "name": "RHSA-2024:6880", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6882", "name": "RHSA-2024:6882", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6886", "name": "RHSA-2024:6886", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6887", "name": "RHSA-2024:6887", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6888", "name": "RHSA-2024:6888", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6889", "name": "RHSA-2024:6889", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6890", "name": "RHSA-2024:6890", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8823", "name": "RHSA-2024:8823", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8824", "name": "RHSA-2024:8824", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8826", "name": "RHSA-2024:8826", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8698", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641", "name": "RHBZ#2311641", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-19T15:12:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-347: Improper Verification of Cryptographic Signature", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-09-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-19T15:12:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Tanner Emek for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-13T14:15:19.702Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T17:28:59.153864Z", "id": "CVE-2024-8698", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T17:57:06.522Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8698", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T17:28:59.153864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T17:57:02.926Z"}}], "cna": {"title": "Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak", "credits": [{"lang": "en", "value": "Red Hat would like to thank Tanner Emek for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "25.0.5", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:22"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "org.keycloak/keycloak-saml-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:22::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "versions": [{"status": "unaffected", "version": "22.0.13-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:22::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "versions": [{"status": "unaffected", "version": "22-18", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:22::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "versions": [{"status": "unaffected", "version": "22-21", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "versions": [{"status": "unaffected", "version": "24.0.8-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "versions": [{"status": "unaffected", "version": "24-17", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "versions": [{"status": "unaffected", "version": "24-17", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "org.keycloak/keycloak-saml-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "org.keycloak/keycloak-saml-core-public", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.33.0-1.redhat_00015.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-activemq-artemis", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "1:2.0.0-2.redhat_00005.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-activemq-artemis-native", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:1.8.0-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-aesh-extensions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.2.0-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-aesh-readline", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:1.16.1-2.redhat_00007.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-codec", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:3.2.2-28.redhat_2.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-collections", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.15.1-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-io", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:3.14.0-2.redhat_00006.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-lang", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:4.0.5-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-cxf", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "1:2.0.0-2.redhat_00005.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-artemis-native", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.0.1-1.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-artemis-wildfly-integration", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.1.0-2.redhat_00010.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-asyncutil", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:1.12.284-2.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-aws-java-sdk", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:1.2.5-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-cryptacular", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:800.4.0-1.GA_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-eap-product-conf-parent", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.1.0-4.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-fastinfoset", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:6.2.31-1.Final_redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-hibernate", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:8.0.1-3.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-hibernate-validator", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.8.1-2.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-hppc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:1.1.3-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-insights-java-client", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:3.0.1-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jakarta-servlet-jsp-jstl-api", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:1.1.3-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jboss-cert-helper", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:3.5.3-1.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jboss-logging", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:4.0.2-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jctools", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:5.3.10-1.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jgroups", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.22.1-1.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-log4j", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:6.0.3-1.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-narayana", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:9.37.3-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-nimbus-jose-jwt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:9.6.0-1.redhat_00002.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-objectweb-asm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.3.0-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-pem-keystore", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.0.1-3.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-resteasy-extensions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:3.0.1-2.Final_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-resteasy-spring", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:3.0.4-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-saaj-impl", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:8.0.0-6.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-shibboleth-java-support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.0.16-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-slf4j", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.2.0-1.redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-snakeyaml", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:8.0.4-2.GA_redhat_00005.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.33.0-1.redhat_00015.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-activemq-artemis", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "1:2.0.0-2.redhat_00005.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-activemq-artemis-native", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:1.8.0-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-aesh-extensions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.2.0-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-aesh-readline", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:1.16.1-2.redhat_00007.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-codec", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:3.2.2-28.redhat_2.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-collections", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.15.1-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-io", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:3.14.0-2.redhat_00006.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-commons-lang", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:4.0.5-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-apache-cxf", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "1:2.0.0-2.redhat_00005.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-artemis-native", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.0.1-1.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-artemis-wildfly-integration", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:0.1.0-2.redhat_00010.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-asyncutil", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:1.12.284-2.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-aws-java-sdk", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:1.2.5-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-cryptacular", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:800.4.0-1.GA_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-eap-product-conf-parent", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.1.0-4.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-fastinfoset", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:6.2.31-1.Final_redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-hibernate", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:8.0.1-3.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-hibernate-validator", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:0.8.1-2.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-hppc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:1.1.3-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-insights-java-client", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:3.0.1-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jakarta-servlet-jsp-jstl-api", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:1.1.3-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jboss-cert-helper", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:3.5.3-1.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jboss-logging", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:4.0.2-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jctools", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:5.3.10-1.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-jgroups", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.22.1-1.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-log4j", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:6.0.3-1.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-narayana", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:9.37.3-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-nimbus-jose-jwt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:9.6.0-1.redhat_00002.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-objectweb-asm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.3.0-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-pem-keystore", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.0.1-3.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-resteasy-extensions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:3.0.1-2.Final_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-resteasy-spring", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:3.0.4-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-saaj-impl", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:8.0.0-6.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-shibboleth-java-support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.0.16-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-slf4j", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.2.0-1.redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-snakeyaml", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:8.0.4-2.GA_redhat_00005.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "org.keycloak/keycloak-saml-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "versions": [{"status": "unaffected", "version": "0:18.0.18-1.redhat_00001.1.el7sso", "lessThan": "*", "versionType": "rpm"}], "packageName": "rh-sso7-keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:18.0.18-1.redhat_00001.1.el8sso", "lessThan": "*", "versionType": "rpm"}], "packageName": "rh-sso7-keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:18.0.18-1.redhat_00001.1.el9sso", "lessThan": "*", "versionType": "rpm"}], "packageName": "rh-sso7-keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"], "vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "versions": [{"status": "unaffected", "version": "7.6-54", "lessThan": "*", "versionType": "rpm"}], "packageName": "rh-sso-7/sso76-openshift-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "org.keycloak/keycloak-saml-core-public", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "org.keycloak/keycloak-saml-core-public", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-09-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-19T15:12:00+00:00", "value": "Made public."}], "datePublic": "2024-09-19T15:12:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6878", "name": "RHSA-2024:6878", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6879", "name": "RHSA-2024:6879", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6880", "name": "RHSA-2024:6880", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6882", "name": "RHSA-2024:6882", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6886", "name": "RHSA-2024:6886", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6887", "name": "RHSA-2024:6887", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6888", "name": "RHSA-2024:6888", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6889", "name": "RHSA-2024:6889", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6890", "name": "RHSA-2024:6890", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8823", "name": "RHSA-2024:8823", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8824", "name": "RHSA-2024:8824", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8826", "name": "RHSA-2024:8826", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8698", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641", "name": "RHBZ#2311641", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-13T14:15:19.702Z"}, "x_redhatCweChain": "CWE-347: Improper Verification of Cryptographic Signature"}}, "cveMetadata": {"cveId": "CVE-2024-8698", "state": "PUBLISHED", "dateUpdated": "2024-12-13T14:15:19.702Z", "dateReserved": "2024-09-11T12:55:53.092Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-19T15:48:18.464Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks."}, {"lang": "es", "value": "Existe una falla en el m\u00e9todo de validaci\u00f3n de firma SAML dentro de la clase XMLSignatureUtil de Keycloak. El m\u00e9todo determina incorrectamente si una firma SAML es para el documento completo o solo para afirmaciones espec\u00edficas seg\u00fan la posici\u00f3n de la firma en el documento XML, en lugar del elemento Reference utilizado para especificar el elemento firmado. Esta falla permite a los atacantes crear respuestas manipuladas que pueden eludir la validaci\u00f3n, lo que puede provocar ataques de suplantaci\u00f3n o escalada de privilegios."}], "id": "CVE-2024-8698", "lastModified": "2024-12-12T20:15:22.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.3, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-19T16:15:06.177", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6878"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6879"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6880"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6882"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6886"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6887"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6888"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6889"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6890"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8823"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8824"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8826"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-8698"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Tanner Emek for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:6888", "cpe": "cpe:/a:redhat:build_keycloak:22", "product_name": "Red Hat Build of Keycloak", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6890", "cpe": "cpe:/a:redhat:build_keycloak:24", "package": "org.keycloak/keycloak-saml-core", "product_name": "Red Hat Build of Keycloak", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6887", "cpe": "cpe:/a:redhat:build_keycloak:22::el9", "package": "rhbk/keycloak-operator-bundle:22.0.13-1", "product_name": "Red Hat build of Keycloak 22", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6887", "cpe": "cpe:/a:redhat:build_keycloak:22::el9", "package": "rhbk/keycloak-rhel9:22-18", "product_name": "Red Hat build of Keycloak 22", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6887", "cpe": "cpe:/a:redhat:build_keycloak:22::el9", "package": "rhbk/keycloak-rhel9-operator:22-21", "product_name": "Red Hat build of Keycloak 22", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6889", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-operator-bundle:24.0.8-1", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6889", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-rhel9:24-17", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6889", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-rhel9-operator:24-17", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:8826", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "org.keycloak/keycloak-saml-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8826", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "org.keycloak/keycloak-saml-core-public", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hppc-0:0.8.1-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jctools-0:4.0.2-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-log4j-0:2.22.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-slf4j-0:2.0.16-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hppc-0:0.8.1-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jctools-0:4.0.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-log4j-0:2.22.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.16-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:6886", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package": "org.keycloak/keycloak-saml-core", "product_name": "Red Hat Single Sign-On 7", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6878", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6879", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6880", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6882", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-54", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2024-09-19T00:00:00Z"}], "bugzilla": {"description": "keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak", "id": "2311641", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "status": "verified"}, "cwe": "CWE-347", "details": ["A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.", "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8698", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.keycloak/keycloak-saml-core-public", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.keycloak/keycloak-saml-core-public", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-09-19T15:12:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8698\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8698"], "statement": "This vulnerability is of high severity due to its potential to facilitate privilege escalation and user impersonation in systems using SAML for authentication. The core issue stems from improper validation logic in Keycloak's signature validation method, which relies on the position of signatures rather than explicitly checking the referenced elements. By manipulating the XML structure, an attacker can bypass signature validation and inject an unsigned assertion while retaining a valid signed one. This allows unauthorized access to high-privileged accounts, leading to significant security risks in SAML-based identity providers and service providers.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object