CVE-2022-2668

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

Published: Aug 5, 2022
Updated: May 9, 2024
CVE: CVE-2022-2668
GHSA: GHSA-wf7g-7h6h-678v
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
redhat / single_sign-on	7.0	7.0.x
redhat / keycloak	18.0.0	18.0.0.x
org.keycloak / keycloak-parent	-	19.0.2

https://access.redhat.com/security/cve/CVE-2022-2668
https://bugzilla.redhat.com/show_bug.cgi?id=2115392
https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c
https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v

Vulnerability Database

289,599

CVE-2022-2668