Keycloak Cross-site Scripting on OpenID connect login service

2023-03-0117:38:56

Google

osv.dev

keycloak

xss

vulnerability

openid connect

oauth

endpoint

null-byte handling

malicious link

arbitrary uri

error page

software

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

37.1%

JSON

A reflected cross-site scripting (XSS) vulnerability was found in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page.

CPENameOperatorVersion
org.keycloak:keycloak-parenteq8.0.0
org.keycloak:keycloak-parenteq1.6.1.Final
org.keycloak:keycloak-parenteq12.0.1
org.keycloak:keycloak-parenteq10.0.1
org.keycloak:keycloak-parenteq4.3.0.Final
org.keycloak:keycloak-parenteq3.1.0.CR1
org.keycloak:keycloak-parenteq1.0-alpha-3
org.keycloak:keycloak-parenteq1.8.0.CR3
org.keycloak:keycloak-parenteq1.9.4.Final
org.keycloak:keycloak-parenteq20.0.3

Name	Operator	Version
org.keycloak:keycloak-parent	eq	8.0.0
org.keycloak:keycloak-parent	eq	1.6.1.Final
org.keycloak:keycloak-parent	eq	12.0.1
org.keycloak:keycloak-parent	eq	10.0.1
org.keycloak:keycloak-parent	eq	4.3.0.Final
org.keycloak:keycloak-parent	eq	3.1.0.CR1
org.keycloak:keycloak-parent	eq	1.0-alpha-3
org.keycloak:keycloak-parent	eq	1.8.0.CR3
org.keycloak:keycloak-parent	eq	1.9.4.Final
org.keycloak:keycloak-parent	eq	20.0.3