CVE-2017-2646: Loop with Unreachable Exit Condition ('Infinite Loop')

October 18, 2018 (updated September 14, 2021)

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.

References

github.com/advisories/GHSA-jc6q-27mw-p55w
nvd.nist.gov/vuln/detail/CVE-2017-2646

Detect and mitigate CVE-2017-2646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →