CVE-2024-8698
Published: 19 September 2024
Summary
CVE-2024-8698 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-8698 is a flaw in the SAML signature validation logic inside the XMLSignatureUtil class of Keycloak. Rather than inspecting the Reference element that identifies the signed portion of a SAML document, the code relies on the physical position of the signature element within the XML, enabling attackers to supply crafted responses that pass validation checks.
An attacker with low privileges can exploit the issue over the network by sending a malicious SAML assertion or response. Successful exploitation can result in impersonation of other users or privilege escalation, consistent with the CVSS 7.7 rating that reflects high confidentiality impact and changed scope.
Red Hat has published the following errata containing fixes for affected Keycloak packages: RHSA-2024:6878, RHSA-2024:6879, RHSA-2024:6880, RHSA-2024:6882, and RHSA-2024:6886. Organizations should apply the updates referenced in these advisories.
The CVE carries an EPSS score of 0.8222 (peak 0.8324), indicating elevated likelihood of exploitation attempts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3168
Vulnerability details
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in…
more
the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.