A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
Name | Vendor | Start Version | End Version |
---|---|---|---|
Keycloak | Redhat | 9.0.13 (including) | 9.0.13 (including) |
Red Hat Single Sign-On 7.4.7 | RedHat | keycloak | * |
Red Hat Single Sign-On 7.4 for RHEL 6 | RedHat | rh-sso7-keycloak-0:9.0.13-1.redhat_00006.1.el6sso | * |
Red Hat Single Sign-On 7.4 for RHEL 7 | RedHat | rh-sso7-keycloak-0:9.0.13-1.redhat_00006.1.el7sso | * |
Red Hat Single Sign-On 7.4 for RHEL 8 | RedHat | rh-sso7-keycloak-0:9.0.13-1.redhat_00006.1.el8sso | * |