CVE-2021-20222 — Improper Input Validation in Redhat Keycloak

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 36.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak

Timeline

PublishedMar 23

Latest updateMay 13

Description

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDredhat/keycloak9.0.0 — 13.0.0

▶CVEListV5redhat/keycloakkeycloak 13.0.0

🔴Vulnerability Details

OSV

Code injection in keycloak↗2021-05-13

▶

GHSA

Code injection in keycloak↗2021-05-13

▶

CVEList

CVE-2021-20222: A flaw was found in keycloak↗2021-03-23

▶

📋Vendor Advisories

Red Hat

keycloak: reflected XSS attack with referrer in new account console↗2021-02-16

▶