CVE-2022-1438 - Vulnerability Details

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00152.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Keycloak Red Hat Single Sign On Rhosemc

Configuration 1 [-]

cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Single Sign-On 7
keycloak-services	cpe:/a:redhat:red_hat_single_sign_on:7.6	RHSA-2023:1049	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2023:1043	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2023:1044	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2023:1045	2023-03-01T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-20	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:1047	2023-03-01T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-1124	A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
Github GHSA	GHSA-w354-2f3c-qvg9	Keycloak vulnerable to Cross-site Scripting

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:1043
https://access.redhat.com/errata/RHSA-2023:1044
https://access.redhat.com/errata/RHSA-2023:1045
https://access.redhat.com/errata/RHSA-2023:1047
https://access.redhat.com/errata/RHSA-2023:1049
https://access.redhat.com/security/cve/CVE-2022-1438
https://bugzilla.redhat.com/show_bug.cgi?id=2031904
https://nvd.nist.gov/vuln/detail/CVE-2022-1438
https://www.cve.org/CVERecord?id=CVE-2022-1438

History

Tue, 24 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-20T13:34:22.495Z

Updated: 2024-09-24T15:06:01.676Z

Reserved: 2022-04-22T14:36:34.415Z

Link: CVE-2022-1438

Vulnrichment

Updated: 2024-08-03T00:03:06.303Z

NVD

Status : Modified

Published: 2023-09-20T14:15:12.607

Modified: 2024-11-21T06:40:44.223

Link: CVE-2022-1438

Redhat

Severity : Moderate

Publid Date: 2023-02-28T18:56:00Z

Links: CVE-2022-1438 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object