Lucene search

[email protected]CVE-2022-4361

HistoryJul 07, 2023 - 8:15 p.m.

CVE-2022-4361

2023-07-0720:15:09

CWE-81

CWE-79

[email protected]

web.nvd.nist.gov

keycloak

open-source

identity and access management

xss

saml

oidc

vulnerability

security

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

16.8%

JSON

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

Affected configurations

NVD

Node

redhatkeycloakRange<21.1.2

Node

redhatenterprise_linuxMatch7.0

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

AND

redhatsingle_sign-onRange7.6–7.6.4

Node

redhatsingle_sign-onMatch-text-only

Node

redhatenterprise_linuxMatch8.0

AND

redhatopenshift_container_platformMatch4.11

redhatopenshift_container_platformMatch4.12

redhatopenshift_container_platform_for_ibm_linuxoneMatch4.9

redhatopenshift_container_platform_for_ibm_linuxoneMatch4.10

redhatopenshift_container_platform_for_powerMatch4.9

redhatopenshift_container_platform_for_powerMatch4.10

CPENameOperatorVersion
redhat:keycloakredhat keycloaklt21.1.2

CPE	Name	Operator	Version
redhat:keycloak	redhat keycloak	lt	21.1.2

CNA Affected

[
  {
    "vendor": "keycloak",
    "product": "keycloak",
    "versions": [
      {
        "status": "unaffected",
        "version": "21.1.2"
      }
    ],
    "defaultStatus": "unaffected"
  }
]