CVE-2021-20222 – This vulnerability in Keycloak's new account co... (How to Fix)

Q: What is the severity of CVE-2021-20222?

CVE-2021-20222 has a CVSS score of 7.5 (HIGH). This vulnerability in Keycloak's new account console allows attackers to execute malicious code via manipulated referrer URLs. It affects Keycloak deployments using the new account console interface. The flaw can compromise data confidentiality, integrity, and system availability.

📋 TL;DR

This vulnerability in Keycloak's new account console allows attackers to execute malicious code via manipulated referrer URLs. It affects Keycloak deployments using the new account console interface. The flaw can compromise data confidentiality, integrity, and system availability.

💻 Affected Systems

Products:

Keycloak

Versions: Keycloak 12.0.0 through 12.0.4

Operating Systems: All platforms running Keycloak

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the new account console (enabled by default in affected versions).

📦 What is this software?

Keycloak by Redhat

View all CVEs affecting Keycloak →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing data theft, account takeover, and potential lateral movement within the Keycloak environment.

🟠

Likely Case

Session hijacking, data exfiltration from user accounts, and potential privilege escalation within the Keycloak realm.

🟢

If Mitigated

Limited impact with proper input validation and referrer restrictions in place.

🌐 Internet-Facing: HIGH - Keycloak is often exposed to the internet for authentication services, making exploitation straightforward.

🏢 Internal Only: MEDIUM - Internal deployments still vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is technically simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Keycloak 12.0.5 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1924606

Restart Required: Yes

Instructions:

1. Download Keycloak 12.0.5 or later from official sources. 2. Stop the Keycloak service. 3. Backup configuration and database. 4. Replace with patched version. 5. Restart Keycloak service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable New Account Console

all

Revert to legacy account console which is not vulnerable

Set 'account2' feature to disabled in Keycloak configuration

Referrer Validation

all

Implement strict referrer validation at web server/proxy level

Configure web server to validate and sanitize referrer headers

🧯 If You Can't Patch

Implement WAF rules to block malicious referrer patterns
Isolate Keycloak instance in network segment with strict egress filtering

🔍 How to Verify

Check if Vulnerable:

Check Keycloak version: if between 12.0.0 and 12.0.4 with new account console enabled, system is vulnerable.

Check Version:

Check Keycloak server logs or admin console for version information

Verify Fix Applied:

Verify Keycloak version is 12.0.5 or later and test referrer URL handling in account console.

📡 Detection & Monitoring

Log Indicators:

Unusual referrer URLs in access logs
JavaScript execution errors in account console

Network Indicators:

HTTP requests with malicious referrer headers to /auth/realms/*/account/* endpoints

SIEM Query:

source="keycloak" AND (url="*/account/*" AND referrer CONTAINS "javascript:" OR referrer CONTAINS "data:")

📊 Metadata

CVE ID: CVE-2021-20222

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: March 23, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1924606 Issue Tracking,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1924606 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20222, you might also want to check these: