Keycloak: reflected xss attack
CVE-2022-4137

8.1HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Single Sign-on 7; Red Hat Single Sign-on 7.6 For Rhel 7; Red Hat Single Sign-on 7.6 For Rhel 8; Red Hat Single Sign-on 7.6 For Rhel 9
Vendor: CVE Published:; 25 September 2023

🔔 Create Red Hat Vulnerability Alert

What is CVE-2022-4137?

A reflected cross-site scripting (XSS) vulnerability exists in Keycloak's 'oob' OAuth endpoint due to improper handling of null bytes. This security flaw enables attackers to craft malicious links that, when clicked by an unsuspecting user or administrator, result in the injection of arbitrary URIs into Keycloak error pages. Such exploitation may allow an attacker to manipulate or gather sensitive user information.

Affected Version(s)

Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.6-1.redhat_00001.1.el7sso

Red Hat Single Sign-On 7.6 for RHEL 8 0:18.0.6-1.redhat_00001.1.el8sso

Red Hat Single Sign-On 7.6 for RHEL 9 0:18.0.6-1.redhat_00001.1.el9sso

References

https://access.redhat.com/errata/RHSA-2023:1043

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:1044

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:1045

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2023
Vulnerability Reserved
Nov 24, 2022

.

The Cyber Security Vulnerability Database.