CVE-2022-4137

Summary

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.6-1.redhat_00001.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.6-1.redhat_00001.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.6-1.redhat_00001.1.el9sso < *unaffected

Weaknesses

  • CWE-81: Improper Neutralization of Script in an Error Message Web Page

ADP Enrichment

CVE Program Container

Additional References

References