5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2256

GHSA ID

GHSA-w9mf-83w3-fv49

EPSS Score

0.53672%

CWE

CWE-79

Published

9/23/2022

Updated

1/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2256

CVE-2022-2256: Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality.

CVSS 3.1 - 3.8

Vector String: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Vector Clarification:

User interaction is not required as the admin console is regularly used during an administrator's work
The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes

Credits

Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2256

GHSA ID

GHSA-w9mf-83w3-fv49

EPSS Score

0.53672%

CWE

CWE-79

Published

9/23/2022

Updated

1/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-parent	maven	< 19.0.2	19.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the clientSelectControl function's handling of client IDs in the admin console UI. The commit diff shows:

Removal of the formatResult function that directly returned unescaped clientId
Replacement with a mapped response that explicitly constructs text properties
The original code path allowed arbitrary clientId values (including XSS payloads) to be rendered directly in the DOM. The patch adds proper data handling by explicitly defining text properties rather than relying on raw object values, indicating the vulnerability existed in how client IDs were processed and rendered without sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* Stor** XSS vuln*r**ility w*s r*port** in t** K*y*lo*k S**urity m*ilin* list, *****tin* *ll t** v*rsions o* K*y*lo*k, in*lu*in* t** l*t*st r*l**s* (**.*.*). T** vuln*r**ility *llows * privil**** *tt**k*r to *x**ut* m*li*ious s*ripts in t** **min *on

Reasoning

T** vuln*r**ility st*ms *rom t** *li*ntS*l**t*ontrol *un*tion's **n*lin* o* *li*nt I*s in t** **min *onsol* UI. T** *ommit *i** s*ows: *. R*mov*l o* t** *orm*tR*sult *un*tion t**t *ir**tly r*turn** un*s**p** *li*ntI* *. R*pl***m*nt wit* * m*pp** r*s

5.4

Basic Information

Concerned about an active attack path?

CVE-2022-2256: Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles

CVSS 3.1 - 3.8

Credits

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI