Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC

GHSA-3p62-6fjh-3p5h · CVE-2022-4361

Published Jun 30, 2023 · Modified Feb 16, 2024

Description

AssertionConsumerServiceURL is a Java implementation for SAML Service Providers (org.keycloak.protocol.saml). Affected versions of this package are vulnerable to Cross-site Scripting (XSS).

AssertionConsumerServiceURL allows XSS when sending a crafted SAML XML request.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-3p62-6fjh-3p5h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-4361
WEB https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2151618
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes