Fluid Attacks Database

Description

Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-server-spi-private	>=0 <12.0.0	12.0.0
maven	org.keycloak:keycloak-services	>=0 <12.0.0	12.0.0
maven	org.keycloak:keycloak-wildfly-server-subsystem	>=0 <12.0.0	12.0.0
maven	org.keycloak:keycloak-parent	>=0 <12.0.0	12.0.0
npm	keycloak-connect	>=0 <12.0.0	12.0.0
maven	org.keycloak:keycloak-core	>=0 <12.0.0	12.0.0
maven	org.keycloak:keycloak-model-jpa	>=0 <12.0.0	12.0.0

Aliases

1. CVE-2020-107762. NVD-2020-107763. OSV-2020-107764. GHSA-484q-784p-8m5h5. GCVE-2020-10776

References

1. https://github.com/keycloak/keycloak/commit/01be601dbdd77822827de173e34180d9322db85c2. https://bugzilla.redhat.com/show_bug.cgi?id=1847428