CVE-2022-1274
📋 TL;DR
CVE-2022-1274 is an HTML injection vulnerability in Keycloak's execute-actions-email endpoint that allows attackers to inject arbitrary HTML into emails sent to users. This affects all Keycloak deployments using email verification or password reset functionality. Attackers can exploit this to conduct phishing attacks or deliver malicious content to users.
💻 Affected Systems
- Keycloak
📦 What is this software?
Keycloak by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Attackers could craft convincing phishing emails that appear legitimate, leading to credential theft, malware installation, or account compromise for all Keycloak users.
Likely Case
Targeted phishing campaigns against specific users, potentially leading to credential harvesting or social engineering attacks.
If Mitigated
Limited impact with proper email security controls, user awareness training, and email client protections that may block or warn about suspicious HTML content.
🎯 Exploit Status
Exploitation requires access to modify email templates or user input that gets processed through the vulnerable endpoint. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Keycloak 18.0.0 and later
Vendor Advisory: https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
Restart Required: Yes
Instructions:
1. Upgrade Keycloak to version 18.0.0 or later. 2. Apply the patch that properly sanitizes HTML input in email templates. 3. Restart the Keycloak service to apply changes.
🔧 Temporary Workarounds
Disable email actions
allTemporarily disable the execute-actions-email endpoint or email-based user actions
Modify Keycloak configuration to disable email verification and password reset features
Implement email content filtering
allAdd external email filtering to strip or sanitize HTML content
Configure email gateway or SMTP proxy to sanitize HTML in outgoing emails
🧯 If You Can't Patch
- Implement strict email security controls and user awareness training about phishing risks
- Monitor email logs for unusual HTML patterns or suspicious email content
🔍 How to Verify
Check if Vulnerable:
Check if Keycloak version is below 18.0.0 and email functionality is enabledCheck Version:
Check Keycloak server logs or admin console for version informationVerify Fix Applied:
Verify Keycloak version is 18.0.0 or later and test email functionality for HTML injection📡 Detection & Monitoring
Log Indicators:
- Unusual HTML patterns in email template modifications
- Multiple failed email verification attempts
Network Indicators:
- Unusual SMTP traffic patterns from Keycloak server
SIEM Query:
source="keycloak" AND ("execute-actions-email" OR "email template") AND html_content🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2073157
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
- https://herolab.usd.de/security-advisories/usd-2021-0033/
- https://bugzilla.redhat.com/show_bug.cgi?id=2073157
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
- https://herolab.usd.de/security-advisories/usd-2021-0033/
