Описание
Keycloak vulnerable to Cross-site Scripting
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
Details
This issue is the result of code found in the exception here: https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
Steps to reproduce
When using the legacy admin console:
- Sign in as Admin user in first tab.
- In that tab create new user in keycloak admin section > intercept user creation request and modify it by including malicious js script there (in username field).
- Sign in as newly created user in second tab (same browser window but second tab).
- Navigate back to first tab where you are signed in as admin, navigate to admin console which lists all application users.
- Choose any user (except newly created malicious one) – modify anything for that user in his settings. E.g. navigate to credentials tab and set new credentials for him. Also set new password as temporary.
- After update for that user is made, use impersonate option on that modified user.
- You should see window with form which requires providing new credentials – fill it and submit request.
- Just after submiting request user will get notified that “You are already authenticated as different user ‘[user + payload]’ in this session. Please sign out first.” And malicious payload will be executed instantly.
Ссылки
- https://github.com/keycloak/keycloak/security/advisories/GHSA-w354-2f3c-qvg9
- https://nvd.nist.gov/vuln/detail/CVE-2022-1438
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:1047
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/security/cve/cve-2022-1438
- https://bugzilla.redhat.com/show_bug.cgi?id=2031904
- https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
Пакеты
org.keycloak:keycloak-services
<= 21.0.0
Отсутствует
Связанные уязвимости
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
A flaw was found in Keycloak. Under specific circumstances, HTML entit ...
Уязвимость объектов HTML программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)