CVE-2022-4137: Keycloak: reflected xss attack
First published: Fri Nov 25 2022(Updated: )
A flaw was found in Keycloak package. This flaw allows an attacker to benefit from Cross-Site Scripting by sending a script via URL. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise the user details, may it be changed or collected by the attacker. An administrator who might be affected may also compromise the server data.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Keycloak | ||
| Redhat Single Sign-on | =7.6 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
| maven/org.keycloak:keycloak-parent | <20.0.5 | 20.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/keycloak/keycloak/security/advisories/GHSA-9hhc-pj4w-w5rv
- https://github.com/keycloak/keycloak/pull/16774
- https://github.com/keycloak/keycloak/commit/30d0e9d22dae51392e5a3748a1c68c116667359a
- https://nvd.nist.gov/vuln/detail/CVE-2022-4137
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/security/cve/CVE-2022-4137
- https://bugzilla.redhat.com/show_bug.cgi?id=2148496
- https://github.com/advisories/GHSA-9hhc-pj4w-w5rv (Advisory)
- https://access.redhat.com/security/cve/cve-2022-4137
- https://www.cve.org/CVERecord?id=CVE-2022-4137 https://nvd.nist.gov/vuln/detail/CVE-2022-4137
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-4137?
CVE-2022-4137 is a reflected cross-site scripting (XSS) vulnerability found in the 'oob' OAuth endpoint of Keycloak.
What is the severity of CVE-2022-4137?
The severity of CVE-2022-4137 is high, with a CVSS score of 8.1.
What is the affected software for CVE-2022-4137?
The affected software for CVE-2022-4137 includes Redhat Keycloak, Redhat Single Sign-on, and Redhat Enterprise Linux (versions 7.0, 8.0, 9.0).
How does CVE-2022-4137 work?
CVE-2022-4137 allows a malicious link to insert an arbitrary URI into a Keycloak error page through the 'oob' OAuth endpoint.
How can I fix CVE-2022-4137?
To fix CVE-2022-4137, update your Keycloak installation to versions 0:18.0.6-1.redhat_00001.1.el7, 0:18.0.6-1.redhat_00001.1.el8, or 0:18.0.6-1.redhat_00001.1.el9.
- collector/nvd-api
- collector/redhat-cve
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-9hhc-pj4w-w5rv
- alias/CVE-2022-4137
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/author
- agent/references
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat single sign-on
- version/redhat single sign-on/7.6
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/redhat
- package-manager/maven