Cyber Resilience

CVE-2024-8698

High

Published: 19 September 2024

Published
19 September 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.8222 99.2th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8698 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2024-8698 is a flaw in the SAML signature validation logic inside the XMLSignatureUtil class of Keycloak. Rather than inspecting the Reference element that identifies the signed portion of a SAML document, the code relies on the physical position of the signature element within the XML, enabling attackers to supply crafted responses that pass validation checks.

An attacker with low privileges can exploit the issue over the network by sending a malicious SAML assertion or response. Successful exploitation can result in impersonation of other users or privilege escalation, consistent with the CVSS 7.7 rating that reflects high confidentiality impact and changed scope.

Red Hat has published the following errata containing fixes for affected Keycloak packages: RHSA-2024:6878, RHSA-2024:6879, RHSA-2024:6880, RHSA-2024:6882, and RHSA-2024:6886. Organizations should apply the updates referenced in these advisories.

The CVE carries an EPSS score of 0.8222 (peak 0.8324), indicating elevated likelihood of exploitation attempts.

EU & UK References

Vulnerability details

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in…

more

the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References