CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

Published: Sep 20, 2023
Updated: May 10, 2024
CVE: CVE-2022-1438
GHSA: GHSA-w354-2f3c-qvg9
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	21.0.0.x

https://access.redhat.com/errata/RHSA-2023:1043
https://access.redhat.com/errata/RHSA-2023:1044
https://access.redhat.com/errata/RHSA-2023:1045
https://access.redhat.com/errata/RHSA-2023:1047
https://access.redhat.com/errata/RHSA-2023:1049
https://access.redhat.com/security/cve/cve-2022-1438
https://bugzilla.redhat.com/show_bug.cgi?id=2031904
https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
https://github.com/keycloak/keycloak/security/advisories/GHSA-w354-2f3c-qvg9

Vulnerability Database

289,599

CVE-2022-1438