logo

Database

Server side cross-site scripting In org.keycloak:keycloak-parent

Description

Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality.

CVSS 3.1 - 3.8

Vector String: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Vector Clarification:

    User interaction is not required as the admin console is regularly used during an administrator's work

    The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes

Credits

Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-22562. NVD-2022-22563. OSV-2022-22564. GHSA-w9mf-83w3-fv495. GHSA-w8v7-c7pm-7wfr6. GCVE-2022-2256

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv492. https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d93. https://bugzilla.redhat.com/show_bug.cgi?id=2101942

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.