Fluid Attacks Database

Description

Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-saml-core-public	=18.0.0	18.0.1
maven	org.keycloak:keycloak-parent	>=0 <19.0.2	19.0.2
maven	org.keycloak:keycloak-saml-core	>=0 <=19.0.1	19.0.2

Aliases

1. CVE-2022-26682. NVD-2022-26683. OSV-2022-26684. GHSA-wf7g-7h6h-678v5. GHSA-q2gp-gph3-88x96. GCVE-2022-26687. ACCESS-CVE-2022-2668

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v2. https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c3. https://bugzilla.redhat.com/show_bug.cgi?id=2115392

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.