CVE-2022-2668:
Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console
7.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46429%
CWE
-
Published
9/23/2022
Updated
1/8/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.keycloak:keycloak-parent | maven | < 19.0.2 | 19.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from three key issues: 1) The isScriptForSpi method in KeycloakProcessor failed to properly distinguish SAML mappers from other mappers, allowing SAML script uploads even when disabled. 2) ScriptBasedMapper lacked feature flag enforcement, making SAML script execution always available. 3) The new SAML_MAPPERS infrastructure in ScriptProviderDescriptor provided a pathway for script injection that bypassed existing security controls. The commit patched these by introducing SAML_MAPPERS separation, adding feature checks in ScriptBasedMapper, and modifying SPI validation logic in KeycloakProcessor.