CVE-2022-2256 – org.keycloak:keycloak-parent

Package

Manager: maven
Name: org.keycloak:keycloak-parent
Vulnerable Version: >=0 <19.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00308 pctl0.53424

Details

Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. ### CVSS 3.1 - **3.8** **Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N **Vector Clarification:** * User interaction is not required as the admin console is regularly used during an administrator's work * The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM

Metadata

Created: 2022-09-23T16:32:51Z
Modified: 2022-10-18T17:19:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-w9mf-83w3-fv49/GHSA-w9mf-83w3-fv49.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-w9mf-83w3-fv49
Finding: F425
Auto approve: 1