A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
This issue is the result of code found in the exception here: https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
When using the legacy admin console:
CPE | Name | Operator | Version |
---|---|---|---|
org.keycloak:keycloak-services | le | 21.0.0 |
access.redhat.com/errata/RHSA-2023:1043
access.redhat.com/errata/RHSA-2023:1044
access.redhat.com/errata/RHSA-2023:1045
access.redhat.com/errata/RHSA-2023:1047
access.redhat.com/errata/RHSA-2023:1049
access.redhat.com/security/cve/cve-2022-1438
bugzilla.redhat.com/show_bug.cgi?id=2031904
github.com/advisories/GHSA-w354-2f3c-qvg9
github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
github.com/keycloak/keycloak/security/advisories/GHSA-w354-2f3c-qvg9
nvd.nist.gov/vuln/detail/CVE-2022-1438