CVE-2022-3782

CWE-22 — Path Traversal CWE-1775 documents5 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 69.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat.com Keycloak Redhat Keycloak

Timeline

Latest updateJan 11

PublishedJan 13

Description

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5redhat.com/keycloak20.0.2 — 20.0.2

▶Mavenorg.keycloak:keycloak-parent< 20.0.2

▶NVDredhat/keycloak20.0.2

🔴Vulnerability Details

CVEList

CVE-2022-3782: keycloak: path traversal via double URL encoding↗2023-01-11

▶

OSV

Keycloak vulnerable to path traversal via double URL encoding↗2022-12-13

▶

GHSA

Keycloak vulnerable to path traversal via double URL encoding↗2022-12-13

▶

📋Vendor Advisories

Red Hat

keycloak: path traversal via double URL encoding↗2022-12-12

▶