6.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
38.0%
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
This issue is the result of code found in the exception here: https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
When using the legacy admin console:
CPE | Name | Operator | Version |
---|---|---|---|
org.keycloak:keycloak-services | le | 21.0.0 |
access.redhat.com/errata/RHSA-2023:1043
access.redhat.com/errata/RHSA-2023:1044
access.redhat.com/errata/RHSA-2023:1045
access.redhat.com/errata/RHSA-2023:1047
access.redhat.com/errata/RHSA-2023:1049
access.redhat.com/security/cve/cve-2022-1438
bugzilla.redhat.com/show_bug.cgi?id=2031904
github.com/advisories/GHSA-w354-2f3c-qvg9
github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
github.com/keycloak/keycloak/security/advisories/GHSA-w354-2f3c-qvg9
nvd.nist.gov/vuln/detail/CVE-2022-1438