Miggo Logo

CVE-2022-2256: Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.53672%
Published
9/23/2022
Updated
1/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-parentmaven< 19.0.219.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the clientSelectControl function's handling of client IDs in the admin console UI. The commit diff shows:

  1. Removal of the formatResult function that directly returned unescaped clientId
  2. Replacement with a mapped response that explicitly constructs text properties
  3. The original code path allowed arbitrary clientId values (including XSS payloads) to be rendered directly in the DOM. The patch adds proper data handling by explicitly defining text properties rather than relying on raw object values, indicating the vulnerability existed in how client IDs were processed and rendered without sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* Stor** XSS vuln*r**ility w*s r*port** in t** K*y*lo*k S**urity m*ilin* list, *****tin* *ll t** v*rsions o* K*y*lo*k, in*lu*in* t** l*t*st r*l**s* (**.*.*). T** vuln*r**ility *llows * privil**** *tt**k*r to *x**ut* m*li*ious s*ripts in t** **min *on

Reasoning

T** vuln*r**ility st*ms *rom t** *li*ntS*l**t*ontrol *un*tion's **n*lin* o* *li*nt I*s in t** **min *onsol* UI. T** *ommit *i** s*ows: *. R*mov*l o* t** *orm*tR*sult *un*tion t**t *ir**tly r*turn** un*s**p** *li*ntI* *. R*pl***m*nt wit* * m*pp** r*s