CVE-2022-4361

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-4361
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4361.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-4361
Aliases
Downstream
Published
2023-07-07T20:15:09Z
Modified
2025-10-10T04:18:21.494449Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type
GIT
Repo
https://github.com/keycloak/keycloak
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a1cfe6e24e5b34792699a00b8b4a8016a5929e3a

Affected versions

1.*

1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-beta-1
1.0-beta-2
1.0-beta-4
1.0-final
1.0-rc-1
1.0.0.Final
1.1.0.Beta2
1.3.0.Final

2.*

2.4.0.Test

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2022-4361-02ff1647",
            "digest": {
                "length": 889.0,
                "function_hash": "162419661588290410253194893523694962201"
            },
            "signature_version": "v1",
            "target": {
                "function": "matchesRedirects",
                "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "id": "CVE-2022-4361-19a9f6ee",
            "digest": {
                "length": 414.0,
                "function_hash": "49195714772931502885929669216117149658"
            },
            "signature_version": "v1",
            "target": {
                "function": "resolveValidRedirects",
                "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "id": "CVE-2022-4361-5ea24910",
            "digest": {
                "length": 1607.0,
                "function_hash": "324295965197083123055007845864519904269"
            },
            "signature_version": "v1",
            "target": {
                "function": "verifyRedirectUri",
                "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "id": "CVE-2022-4361-6e0df4ad",
            "digest": {
                "line_hashes": [
                    "218285995002526502236412891927405441265",
                    "323881776217991790380402730320821759924",
                    "239470406334422613240302194341471952723",
                    "9283435826492671502289758732815251667",
                    "94442937322120503682751036960782425464",
                    "14176925072626382320197488178553553665"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "target": {
                "file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BasicSamlTest.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "id": "CVE-2022-4361-9258a5f0",
            "digest": {
                "line_hashes": [
                    "21393447413080957042999660415923345611",
                    "330757768336987817297661345579604667326",
                    "13459450449724664373668402449700994489",
                    "178607642621736380456687376956078023875",
                    "196443210634696092726533943257197378466",
                    "268314210794145899078300254112733382291",
                    "338935507404355852554232444201699988139",
                    "249164690452926811467512141496890517307",
                    "96429089629430284568547175640136965557",
                    "166436106521150564559236128476320867363",
                    "126342621267388441756277966211578374211"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "target": {
                "file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "id": "CVE-2022-4361-976d8d8a",
            "digest": {
                "line_hashes": [
                    "320044748034175025693719119813189116705",
                    "240948519832516623025022441153166981078",
                    "199271067641313861725612287239776612858",
                    "78785256245707145533495248931698913610",
                    "39001674815853740356212243631691558295",
                    "158070856765640224426752636073590182644",
                    "325805103490268361775301515937835570084",
                    "309945801688743170081803218661810162884",
                    "9026029101350044121418485412974360172",
                    "302271492078456126691382976183210737829",
                    "72016895114100159762526692331305669274",
                    "60482759618223911768953948776991064317",
                    "42713839843729437767286001130141561380",
                    "162351203056570365543595698489470734605",
                    "53414782076404410972754961357935376892",
                    "8137894453736494140474930296345687355",
                    "232358180059108653025229367092666065586",
                    "244896814544226850794159499764195758619",
                    "18496353455081435645734157927075925557",
                    "19355464449594884736160226064108216640",
                    "56627407109494278815545237223639689190",
                    "81422403828285409907796783913042674851",
                    "253484701549231087092037535457854832290",
                    "302919981984585027108576595026925676908",
                    "224635296052577918910367052282655109711",
                    "250066301752307082514231310953027829206",
                    "96697147081832703439173566881066286722",
                    "294616335260830423653557876733152340065",
                    "178857383300088815683888794476595166576",
                    "18838507332067548566321031319866791677",
                    "103232518481820287912543312065296363612",
                    "203714619589132201837781054796004044145",
                    "188830553252186369744291903190357305036",
                    "34369258319653589711812876680727707313",
                    "231490248079508540030354296080689510671",
                    "183681560773190326218877214952084356159",
                    "268697522414795794554537365202258852855",
                    "329159277664453004117366629142128111755",
                    "43117666934305862447370599037567690677",
                    "323209100149251942963907852266870927099",
                    "243333316162508045117700467971356675463",
                    "136353522893459943994047373945746878309",
                    "148175232626730612994081486700947435540",
                    "13333557960514413809273552246216766845",
                    "336404108204059135045481586579746593206",
                    "148136436887164206788240615518950867790",
                    "80902547330954605275798859333312404691",
                    "199291279638026700348763738412591521209",
                    "2139725881103368918024213779611523902",
                    "173283300070770028418730907068585477280",
                    "13807149361249426386396659685052722812",
                    "225372204863039360110731594248805780866",
                    "106371346731207130321765225482609143051",
                    "317303567779041714274559458258240458195",
                    "133185021651410417147625674385889302672",
                    "144958636281245224635966325855299807927",
                    "339910142121647559224017065196864827564",
                    "276773127508841465841325236415923293325"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "target": {
                "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "id": "CVE-2022-4361-b425427f",
            "digest": {
                "length": 431.0,
                "function_hash": "68792696561126574327685194184914418093"
            },
            "signature_version": "v1",
            "target": {
                "function": "getNormalizedRedirectUri",
                "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
            },
            "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
            "deprecated": false,
            "signature_type": "Function"
        }
    ]
}