It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the “InResponseTo” field in the response.
www.securityfocus.com/bid/101046
www.securitytracker.com/id/1041707
access.redhat.com/errata/RHSA-2017:2808
access.redhat.com/errata/RHSA-2017:2809
access.redhat.com/errata/RHSA-2017:2810
access.redhat.com/errata/RHSA-2017:2811
access.redhat.com/errata/RHSA-2017:3216
access.redhat.com/errata/RHSA-2017:3217
access.redhat.com/errata/RHSA-2017:3218
access.redhat.com/errata/RHSA-2017:3219
access.redhat.com/errata/RHSA-2017:3220
access.redhat.com/errata/RHSA-2018:2740
access.redhat.com/errata/RHSA-2018:2741
access.redhat.com/errata/RHSA-2018:2742
access.redhat.com/errata/RHSA-2018:2743
access.redhat.com/errata/RHSA-2019:0136
access.redhat.com/errata/RHSA-2019:0137
access.redhat.com/errata/RHSA-2019:0139
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582
github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237