Subject: [ASA-202106-19] keycloak: incorrect calculation Arch Linux Security Advisory ASA-202106-19 ========================================== Severity: Low Date : 2021-06-01 CVE-ID : CVE-2021-3461 Package : keycloak Type : incorrect calculation Remote : Yes Link : https://security.archlinux.org/AVG-1994 Summary ======= The package keycloak before version 13.0.1-1 is vulnerable to incorrect calculation. Resolution ========== Upgrade to 13.0.1-1. # pacman -Syu "keycloak>=13.0.1-1" The problem has been fixed upstream in version 13.0.1. Workaround ========== None. Description =========== Keycloak may fail to logout a user session if the logout request comes from an external SAML identity provider that is set up to identify the principal via attributes rather than by Subject Name ID. Impact ====== A remote attacker could take over a logged out user session if they manage to obtain the old session token. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1941565 https://issues.redhat.com/browse/KEYCLOAK-17495 https://github.com/keycloak/keycloak/commit/f014299e7c781dff2b492b81bc81adcf717bd530 https://security.archlinux.org/CVE-2021-3461