It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2582
https://access.redhat.com/errata/RHSA-2019:0139
https://access.redhat.com/errata/RHSA-2019:0137
https://access.redhat.com/errata/RHSA-2019:0136
https://access.redhat.com/errata/RHSA-2018:2743
https://access.redhat.com/errata/RHSA-2018:2742
https://access.redhat.com/errata/RHSA-2018:2741
https://access.redhat.com/errata/RHSA-2018:2740
https://access.redhat.com/errata/RHSA-2017:3220
https://access.redhat.com/errata/RHSA-2017:3219
https://access.redhat.com/errata/RHSA-2017:3218
https://access.redhat.com/errata/RHSA-2017:3217
https://access.redhat.com/errata/RHSA-2017:3216
https://access.redhat.com/errata/RHSA-2017:2811
https://access.redhat.com/errata/RHSA-2017:2810
https://access.redhat.com/errata/RHSA-2017:2809
https://access.redhat.com/errata/RHSA-2017:2808