Keycloak: reflected xss attack
CVE-2022-4137

8.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Single Sign-on 7
Red Hat Single Sign-on 7.6 For Rhel 7
Red Hat Single Sign-on 7.6 For Rhel 8
Red Hat Single Sign-on 7.6 For Rhel 9
Vendor
CVE Published:
25 September 2023
đź”” Create Red Hat Vulnerability Alert

What is CVE-2022-4137?

A reflected cross-site scripting (XSS) vulnerability exists in Keycloak's 'oob' OAuth endpoint due to improper handling of null bytes. This security flaw enables attackers to craft malicious links that, when clicked by an unsuspecting user or administrator, result in the injection of arbitrary URIs into Keycloak error pages. Such exploitation may allow an attacker to manipulate or gather sensitive user information.

References

https://access.redhat.com/errata/RHSA-2023:1043
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1044
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1045
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.