Keycloak allows arbitrary Javascript to be uploaded for SAML protocol mapper even if UPLOAD_SCRIPTS feature disabled

GHSA-q2gp-gph3-88x9

Published Aug 6, 2022 · Modified Dec 5, 2024

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wf7g-7h6h-678v. This link is maintained to preserve external references.

Original Description

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-2668
WEB https://access.redhat.com/security/cve/CVE-2022-2668
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2115392
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes