Re: [keycloak-user] Is KeyCloak SAML vulnerable to the c14n exploit?

Hello, I was alerted to this exploit, and was wondering if Keycloak, acting as an SP in a SAML authentication workflow, is vulnerable to it. https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple- implementations Briefly, if a comment is put into an XML value, some parsers seem to stop parsing during canonicalization so that these two values are equivalent and equally valid for the same dsig: user@domain.comuser(a)domain.com<!--and this breaks parsing-->.hackers.net Would it basically come down to if the parsers that Keycloak is using for SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that correct? Thanks, Jason _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user