CVE-2022-4137 – This reflected cross-site scripting (XSS) vulne... (How to Fix)

Q: What is the severity of CVE-2022-4137?

CVE-2022-4137 has a CVSS score of 8.1 (HIGH). This reflected cross-site scripting (XSS) vulnerability in Keycloak's 'oob' OAuth endpoint allows attackers to inject malicious scripts via crafted links, potentially compromising user details when victims interact with them. It affects Keycloak users and administrators who access malicious links, leading to unauthorized data collection or modification.

📋 TL;DR

This reflected cross-site scripting (XSS) vulnerability in Keycloak's 'oob' OAuth endpoint allows attackers to inject malicious scripts via crafted links, potentially compromising user details when victims interact with them. It affects Keycloak users and administrators who access malicious links, leading to unauthorized data collection or modification.

💻 Affected Systems

Products:

Keycloak

Versions: Keycloak versions before the patched releases (e.g., prior to versions fixed in Red Hat advisories RHSA-2023:1043, RHSA-2023:1044, RHSA-2023:1045, RHSA-2023:1049)

Operating Systems: All operating systems running Keycloak

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the 'oob' OAuth endpoint and affects default configurations where this endpoint is enabled.

📦 What is this software?

Keycloak by Redhat

View all CVEs affecting Keycloak →

Single Sign On by Redhat

View all CVEs affecting Single Sign On →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal sensitive user credentials, modify account details, or perform actions on behalf of users, leading to full account compromise and data breaches.

🟠

Likely Case

Attackers trick users into clicking malicious links to steal session tokens or personal information, resulting in account takeover or data theft.

🟢

If Mitigated

With proper input validation and patching, the risk is minimized to low, preventing script injection and maintaining security.

🌐 Internet-Facing: HIGH, as the vulnerability is exploitable via links that can be distributed online, targeting users accessing Keycloak instances exposed to the internet.

🏢 Internal Only: MEDIUM, as internal users could still be targeted via phishing or malicious links within the network, but exposure is more limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW, as it involves crafting a malicious link that triggers the XSS when clicked by a user.

Exploitation requires user interaction (clicking a link), making it dependent on social engineering but technically straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Red Hat advisories for specific patched versions (e.g., Keycloak updates in RHSA-2023:1043, RHSA-2023:1044, RHSA-2023:1045, RHSA-2023:1049)

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2022-4137

Restart Required: Yes

Instructions:

1. Check current Keycloak version. 2. Apply the latest security patch from Red Hat or upstream Keycloak. 3. Restart the Keycloak service to apply changes. 4. Verify the fix by testing the 'oob' endpoint.

🔧 Temporary Workarounds

Disable 'oob' OAuth endpoint

all

Temporarily disable the vulnerable 'oob' endpoint to prevent exploitation until patching is complete.

Modify Keycloak configuration to remove or disable the 'oob' endpoint; consult Keycloak documentation for specific steps.

🧯 If You Can't Patch

Implement strict input validation and output encoding on the 'oob' endpoint to block malicious scripts.
Use web application firewalls (WAFs) to filter and block requests containing suspicious patterns related to XSS.

🔍 How to Verify

Check if Vulnerable:

Test the 'oob' endpoint by attempting to inject a null-byte or script payload; if it reflects in error pages without sanitization, the system is vulnerable.

Check Version:

keycloak --version or check the Keycloak admin console for version information.

Verify Fix Applied:

After patching, retest the 'oob' endpoint to ensure injected scripts are properly sanitized or blocked, and check that the error page no longer includes arbitrary URIs.

📡 Detection & Monitoring

Log Indicators:

Log entries showing unusual requests to the 'oob' endpoint with suspicious parameters or null-byte characters.

Network Indicators:

HTTP requests containing crafted URIs or script tags targeting the 'oob' endpoint.

SIEM Query:

source="keycloak.log" AND (uri="*oob*" AND (param="*%00*" OR param="*<script>*"))

📊 Metadata

CVE ID: CVE-2022-4137

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-81

Published: September 25, 2023

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2023:1043 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1044 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1045 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1049 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-4137 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2148496 Issue Tracking,Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1043 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1044 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1045 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1049 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-4137 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2148496 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-4137, you might also want to check these: