Miggo Logo
Miggo Vulnerability Database
CVE-2022-4361

CVE-2022-4361: Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC

10

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4361
GHSA ID
GHSA-3p62-6fjh-3p5h
EPSS Score
0.53731%
CWE
CWE-79
Published
6/30/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-servicesmaven< 21.1.221.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of URI schemes in redirect handling. The commit patching CVE-2022-4361 adds explicit scheme checks in verifyRedirectUri() and modifies matchesRedirects() to return matched patterns. The pre-patch version of verifyRedirectUri() lacked critical validation: it normalized URIs without verifying if non-HTTP(S) schemes were explicitly allowed, enabling XSS via crafted 'javascript:' URIs when clients used permissive wildcard patterns. The matchesRedirects() function contributed by allowing generic '*' patterns to match non-HTTP schemes unless explicitly restricted. The test cases added in the commit (e.g., testing 'javascript:alert("XSS")' rejection) confirm this attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ss*rtion*onsum*rS*rvi**URL is * J*v* impl*m*nt*tion *or S*ML S*rvi** Provi**rs (or*.k*y*lo*k.proto*ol.s*ml). *****t** v*rsions o* t*is p**k*** *r* vuln*r**l* to *ross-sit* S*riptin* (XSS). *ss*rtion*onsum*rS*rvi**URL *llows XSS w**n s*n*in* * *r**t

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* URI s***m*s in r**ir**t **n*lin*. T** *ommit p*t**in* `*V*-****-****` ***s *xpli*it s***m* ****ks in `v*ri*yR**ir**tUri()` *n* mo*i*i*s `m*t***sR**ir**ts()` to r*turn m*t**** p*tt*rns. T** pr*-p*t