Fluid Attacks Database

Description

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).

Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.

Acknowledgements:

Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-services	>=0 <22.0.10 \|\| >=23.0.0 <24.0.3	22.0.10, 24.0.3

Aliases

1. CVE-2023-67172. NVD-2023-67173. OSV-2023-67174. GHSA-8rmm-gm28-pj8q5. GCVE-2023-67176. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. ACCESS-CVE-2023-6717

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-8rmm-gm28-pj8q2. https://bugzilla.redhat.com/show_bug.cgi?id=2253952

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.