HIGH 8.1 Maven
Keycloak Cross-site Scripting on OpenID connect login service
GHSA-9hhc-pj4w-w5rv · CVE-2022-4137
Published · Modified
Description
A reflected cross-site scripting (XSS) vulnerability was found in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page.
References
- WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-9hhc-pj4w-w5rv
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-4137
- WEB https://github.com/keycloak/keycloak/pull/16774
- WEB https://github.com/keycloak/keycloak/commit/30d0e9d22dae51392e5a3748a1c68c116667359a
- WEB https://access.redhat.com/errata/RHSA-2023:1043
- WEB https://access.redhat.com/errata/RHSA-2023:1044
- WEB https://access.redhat.com/errata/RHSA-2023:1045
- WEB https://access.redhat.com/errata/RHSA-2023:1049
- WEB https://access.redhat.com/security/cve/CVE-2022-4137
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2148496
- PACKAGE https://github.com/keycloak/keycloak
Ready to move
Start Securing
Free, no credit card | First findings in minutes