CVE-2022-4361
📋 TL;DR
Keycloak has a cross-site scripting (XSS) vulnerability in SAML and OIDC providers where attackers can inject malicious scripts via AssertionConsumerServiceURL or redirect_uri parameters. This allows execution of arbitrary JavaScript in victims' browsers. All Keycloak deployments using SAML or OIDC identity providers are affected.
💻 Affected Systems
- Keycloak
📦 What is this software?
Keycloak by Redhat
Openshift Container Platform For Ibm Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Linuxone →
Openshift Container Platform For Ibm Linuxone by Redhat
View all CVEs affecting Openshift Container Platform For Ibm Linuxone →
Openshift Container Platform For Power by Redhat
View all CVEs affecting Openshift Container Platform For Power →
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal authentication tokens, session cookies, or credentials, leading to complete account takeover and lateral movement within the identity management system.
Likely Case
Session hijacking, credential theft, and unauthorized access to applications relying on Keycloak for authentication.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still execute in some contexts.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links but doesn't require authentication to Keycloak itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.0.2 and later
Vendor Advisory: https://access.redhat.com/security/cve/cve-2022-4361
Restart Required: Yes
Instructions:
1. Backup your Keycloak configuration and database. 2. Download Keycloak 20.0.2 or later from https://www.keycloak.org/downloads. 3. Stop the Keycloak service. 4. Replace the installation with the new version. 5. Start the Keycloak service. 6. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a custom filter to validate and sanitize AssertionConsumerServiceURL and redirect_uri parameters
Implement Java servlet filter or similar middleware to validate URL parameters against allowlist
Content Security Policy
allAdd strict CSP headers to limit script execution
Add header: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement WAF rules to block malicious AssertionConsumerServiceURL and redirect_uri parameters
- Monitor logs for suspicious URL patterns containing script tags or JavaScript code
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version: if below 20.0.2 and using SAML/OIDC providers, assume vulnerable. Test by attempting to inject script payloads in AssertionConsumerServiceURL parameter.Check Version:
Check Keycloak admin console or run: java -jar keycloak-*.jar --versionVerify Fix Applied:
After patching, attempt XSS payload injection in AssertionConsumerServiceURL parameter and verify scripts don't execute. Check version is 20.0.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual AssertionConsumerServiceURL or redirect_uri values containing script tags, JavaScript, or encoded payloads
- Multiple failed authentication attempts with suspicious URLs
Network Indicators:
- HTTP requests with encoded script payloads in URL parameters
- Unusual redirect patterns in authentication flows
SIEM Query:
source="keycloak" AND (url="*<script>*" OR url="*javascript:*" OR url="*%3Cscript%3E*")