CVE-2022-2232

Summary

A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-20: Improper Input Validation

Workarounds

This flaw requires a misconfiguration of the "UUID LDAP Attribute" values. When they are set to the standard entryUUID, objectGUID or nsuniqueid Keycloak is not vulnerable.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References