Keycloak Update (MINDBREEZE32592)

ID: MINDBREEZE32592 
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS  
Severity: 7.7 High 
Status: Final 
First published: December 2, 2024 
CVEs: CVE-2023-6841, CVE-2024-7341, CVE-2024-8698, CVE-2024-4629 

Summary

• CVE-2023-6841 - keycloak: Amount of attributes per object is not limited and it may lead to DOS
• CVE-2024-7341 - keycloak-services: session fixation in elytron saml adapters
• CVE-2024-8698 - keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
• CVE-2024-4629 - keycloak: potential bypass of brute force protection

Hotfix Information 

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

• Mindbreeze InSpire Release 24.7 
• Mindbreeze InSpire Saas Release 24.7