10

CVE-2022-4361

Cross-site scripting when validating URI-schemes on SAML and OIDC

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version < 21.1.2
RedhatSingle Sign-on Version >= 7.6 < 7.6.4
   RedhatEnterprise Linux Version7.0
   RedhatEnterprise Linux Version8.0
   RedhatEnterprise Linux Version9.0
RedhatSingle Sign-on Version- SwEditiontext-only
RedhatOpenshift Container Platform Version4.11
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.12
   RedhatEnterprise Linux Version8.0
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version < 21.1.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.31% 0.799
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
secalert@redhat.com 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-81 Improper Neutralization of Script in an Error Message Web Page

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.