CVE-2022-4361 – RHSSO: XSS due to lax URI scheme validation
https://notcve.org/view.php?id=CVE-2022-4361
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. • https://bugzilla.redhat.com/show_bug.cgi?id=2151618 https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a https://access.redhat.com/security/cve/CVE-2022-4361 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-81: Improper Neutralization of Script in an Error Message Web Page •
CVE-2023-2585 – Keycloak: client access via device auth request spoof
https://notcve.org/view.php?id=CVE-2023-2585
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client. La concesión de autorización del dispositivo de Keycloak no valida correctamente el código del dispositivo y la identificación del cliente. Un cliente atacante podría abusar de la validación faltante para falsificar una solicitud de consentimiento del cliente y engañar a un administrador de autorización para que otorgue el consentimiento a un cliente OAuth malicioso o un posible acceso no autorizado a un cliente OAuth existente. • https://access.redhat.com/errata/RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3892 https://access.redhat.com/security/cve/CVE-2023-2585 https://bugzilla.redhat.com/show_bug.cgi?id=2196335 • CWE-358: Improperly Implemented Security Check for Standard •
CVE-2023-1108 – Undertow: infinite loop in sslconduit during close
https://notcve.org/view.php?id=CVE-2023-1108
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina • https://access.redhat.com/errata/RHSA-2023:1184 https://access.redhat.com/errata/RHSA-2023:1185 https://access.redhat.com/errata/RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3884 https://access.redhat.com/errata/RHSA • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2022-1274 – keycloak: HTML injection in execute-actions-email Admin REST API
https://notcve.org/view.php?id=CVE-2022-1274
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. • https://bugzilla.redhat.com/show_bug.cgi?id=2073157 https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725 https://herolab.usd.de/security-advisories/usd-2021-0033 https://access.redhat.com/security/cve/CVE-2022-1274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2022-3916 – Keycloak: session takeover with oidc offline refreshtokens
https://notcve.org/view.php?id=CVE-2022-3916
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. • https://access.redhat.com/errata/RHSA-2022:8961 https://access.redhat.com/errata/RHSA-2022:8962 https://access.redhat.com/errata/RHSA-2022:8963 https://access.redhat.com/errata/RHSA-2022:8964 https://access.redhat.com/errata/RHSA-2022:8965 https://access.redhat.com/errata/RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1047 https://access.redhat.com/errata/RHSA • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •