The vulnerability lies in Keycloak’s XMLSignatureUtil class, which incorrectly verifies SAML signatures, disregarding the vital “Reference” element that specifies the signed portion of the document.
This article has been indexed from Cyware News – Latest Cyber News