CVE-2022-3782

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.

Published: Jan 13, 2023
Updated: May 9, 2024
CVE: CVE-2022-3782
GHSA: GHSA-g8q8-fggx-9r3q
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-22
CWE-177

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
redhat / keycloak	20.0.2	20.0.2.x
org.keycloak / keycloak-parent	-	20.0.2

https://access.redhat.com/security/cve/CVE-2022-3782
https://github.com/keycloak/keycloak/pull/15982/commits/1987c942f527b9f3bbf2a86ba71ba8ae0154ac37
https://github.com/keycloak/keycloak/security/advisories/GHSA-g8q8-fggx-9r3q

Vulnerability Database

289,599

CVE-2022-3782