Skip to content

Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console

High severity GitHub Reviewed Published Sep 22, 2022 in keycloak/keycloak • Updated Jan 8, 2023

Package

maven org.keycloak:keycloak-parent (Maven)

Affected versions

< 19.0.2

Patched versions

19.0.2

Description

An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

References

@abstractj abstractj published to keycloak/keycloak Sep 22, 2022
Published to the GitHub Advisory Database Sep 23, 2022
Reviewed Sep 23, 2022
Last updated Jan 8, 2023

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses

No CWEs

CVE ID

CVE-2022-2668

GHSA ID

GHSA-wf7g-7h6h-678v

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.