CVE-2022-2668 — Expected Behavior Violation in Redhat Keycloak

CWE-440 — Expected Behavior Violation5 documents5 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 35.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Redhat Single Sign-on

Timeline

PublishedAug 5

Latest updateSep 23

Description

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5redhat/keycloakKeycloak 18

▶NVDredhat/keycloak18.0.0

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

GHSA

Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console↗2022-09-23

▶

OSV

Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console↗2022-09-23

▶

CVEList

CVE-2022-2668: An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is↗2022-08-05

▶

📋Vendor Advisories

Red Hat

keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console↗2022-08-04

▶