CVE-2022-4137 — Vulnetix

Try Vulnetix Request Demo

CVE-2022-4137 PUBLISHED CVSS 8.100000381469727 HIGH

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

EPSS 0.53% · 67.0th percentile

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score

0.53%

67.0th percentile

Affected Products

Vendor	Product	Versions
redhat	keycloak
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 7	0:18.0.6-1.redhat_00001.1.el7sso
Red Hat	Red Hat Single Sign-On 7
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 9	0:18.0.6-1.redhat_00001.1.el9sso
Maven	org.keycloak:keycloak-parent	0
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 8	0:18.0.6-1.redhat_00001.1.el8sso
redhat	single_sign-on	7.6

Timeline

Feb 27, 2023 CVE Published
Sep 26, 2023 EPSS Score
Oct 27, 2023 EPSS Score
Nov 28, 2023 EPSS Score
Dec 29, 2023 EPSS Score
Jan 30, 2024 EPSS Score
Mar 1, 2024 EPSS Score
Apr 1, 2024 EPSS Score
May 3, 2024 EPSS Score
Jun 3, 2024 EPSS Score
Jul 4, 2024 EPSS Score
Aug 5, 2024 EPSS Score

References

RHSA-2023:1043 vendor-advisory
RHSA-2023:1044 vendor-advisory
RHSA-2023:1045 vendor-advisory
RHSA-2023:1049 vendor-advisory
https://access.redhat.com/security/cve/CVE-2022-4137 vdb
RHBZ#2148496 issue
https://github.com/keycloak/keycloak/security/advisories/GHSA-9hhc-pj4w-w5rv url
https://nvd.nist.gov/vuln/detail/CVE-2022-4137 advisory
https://github.com/keycloak/keycloak/pull/16774 url
https://github.com/keycloak/keycloak/commit/30d0e9d22dae51392e5a3748a1c68c116667359a url
https://github.com/keycloak/keycloak package

Open in Interactive Console →