CVE-2017-2646
Keycloak vulnerable to infinite loop based Denial of Service
7.5
HIGH
CVSS 3.1
EPSS 0.50%
Description
When Keycloak versions prior to 2.5.5 receive a Logout request with an Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks.
How to fix CVE-2017-2646
To remediate CVE-2017-2646, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.5 or later
Is CVE-2017-2646 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.5.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |