CVE-2022-4137 HIGH

CVE-2022-4137: Keycloak: reflected xss attack

Vendor Red Hat
Product Red Hat Single Sign-On 7
Weakness CWE-81
Published September 25, 2023
Last update August 3, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Key dates

02Disclosure timeline

September 25, 2023 CVE published
August 3, 2024 Record updated