A flaw was found in JBOSS Keycloak. The SAML broker consumer endpoint ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
Any more information this? Particularly affected/fixed versions?
Fixed in Keycloak 4.6.0.Final, added.
This vulnerability is out of security support scope for the following product:
* Red Hat Mobile Application Platform
Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
This issue has been addressed in the following products:
Red Hat Single Sign-On 7.2.5 zip
Via RHSA-2018:3595 https://access.redhat.com/errata/RHSA-2018:3595