VDB

CVE-2022-4137

CVE-2022-4137 PUBLISHED CVSS 8.100000381469727 HIGH

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

EPSS 0.53% · 67.6th percentile

Risk Scores

CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
0.53%
67.6th percentile

Affected Products

VendorProductVersions
redhatkeycloak
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.6-1.redhat_00001.1.el7sso
Red HatRed Hat Single Sign-On 7
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.6-1.redhat_00001.1.el9sso
Mavenorg.keycloak:keycloak-parent0
Red HatRed Hat Single Sign-On 7.6 for RHEL 8*
redhatsingle_sign-on7.6

Exploit Intelligence

…and 4 more exploits

Timeline

  • Feb 27, 2023 CVE Published
  • Sep 26, 2023 EPSS Score
  • Oct 28, 2023 EPSS Score
  • Nov 29, 2023 EPSS Score
  • Dec 31, 2023 EPSS Score
  • Feb 1, 2024 EPSS Score
  • Mar 4, 2024 EPSS Score
  • Apr 5, 2024 EPSS Score
  • May 7, 2024 EPSS Score
  • Jun 8, 2024 EPSS Score
  • Jul 10, 2024 EPSS Score
  • Aug 11, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›