CVE-2022-4361

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-4361
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4361.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-4361
Aliases
Downstream
Published
2023-07-07T20:15:09.813Z
Modified
2025-11-20T12:10:41.397228Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type
GIT
Repo
https://github.com/keycloak/keycloak
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a1cfe6e24e5b34792699a00b8b4a8016a5929e3a

Affected versions

1.*

1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-beta-1
1.0-beta-2
1.0-beta-4
1.0-final
1.0-rc-1
1.0.0.Final
1.1.0.Beta2
1.3.0.Final

2.*

2.4.0.Test

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "target": {
            "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java",
            "function": "matchesRedirects"
        },
        "digest": {
            "length": 889.0,
            "function_hash": "162419661588290410253194893523694962201"
        },
        "id": "CVE-2022-4361-02ff1647",
        "signature_type": "Function",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java",
            "function": "resolveValidRedirects"
        },
        "digest": {
            "length": 414.0,
            "function_hash": "49195714772931502885929669216117149658"
        },
        "id": "CVE-2022-4361-19a9f6ee",
        "signature_type": "Function",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java",
            "function": "verifyRedirectUri"
        },
        "digest": {
            "length": 1607.0,
            "function_hash": "324295965197083123055007845864519904269"
        },
        "id": "CVE-2022-4361-5ea24910",
        "signature_type": "Function",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BasicSamlTest.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "218285995002526502236412891927405441265",
                "323881776217991790380402730320821759924",
                "239470406334422613240302194341471952723",
                "9283435826492671502289758732815251667",
                "94442937322120503682751036960782425464",
                "14176925072626382320197488178553553665"
            ]
        },
        "id": "CVE-2022-4361-6e0df4ad",
        "signature_type": "Line",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "21393447413080957042999660415923345611",
                "330757768336987817297661345579604667326",
                "13459450449724664373668402449700994489",
                "178607642621736380456687376956078023875",
                "196443210634696092726533943257197378466",
                "268314210794145899078300254112733382291",
                "338935507404355852554232444201699988139",
                "249164690452926811467512141496890517307",
                "96429089629430284568547175640136965557",
                "166436106521150564559236128476320867363",
                "126342621267388441756277966211578374211"
            ]
        },
        "id": "CVE-2022-4361-9258a5f0",
        "signature_type": "Line",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "320044748034175025693719119813189116705",
                "240948519832516623025022441153166981078",
                "199271067641313861725612287239776612858",
                "78785256245707145533495248931698913610",
                "39001674815853740356212243631691558295",
                "158070856765640224426752636073590182644",
                "325805103490268361775301515937835570084",
                "309945801688743170081803218661810162884",
                "9026029101350044121418485412974360172",
                "302271492078456126691382976183210737829",
                "72016895114100159762526692331305669274",
                "60482759618223911768953948776991064317",
                "42713839843729437767286001130141561380",
                "162351203056570365543595698489470734605",
                "53414782076404410972754961357935376892",
                "8137894453736494140474930296345687355",
                "232358180059108653025229367092666065586",
                "244896814544226850794159499764195758619",
                "18496353455081435645734157927075925557",
                "19355464449594884736160226064108216640",
                "56627407109494278815545237223639689190",
                "81422403828285409907796783913042674851",
                "253484701549231087092037535457854832290",
                "302919981984585027108576595026925676908",
                "224635296052577918910367052282655109711",
                "250066301752307082514231310953027829206",
                "96697147081832703439173566881066286722",
                "294616335260830423653557876733152340065",
                "178857383300088815683888794476595166576",
                "18838507332067548566321031319866791677",
                "103232518481820287912543312065296363612",
                "203714619589132201837781054796004044145",
                "188830553252186369744291903190357305036",
                "34369258319653589711812876680727707313",
                "231490248079508540030354296080689510671",
                "183681560773190326218877214952084356159",
                "268697522414795794554537365202258852855",
                "329159277664453004117366629142128111755",
                "43117666934305862447370599037567690677",
                "323209100149251942963907852266870927099",
                "243333316162508045117700467971356675463",
                "136353522893459943994047373945746878309",
                "148175232626730612994081486700947435540",
                "13333557960514413809273552246216766845",
                "336404108204059135045481586579746593206",
                "148136436887164206788240615518950867790",
                "80902547330954605275798859333312404691",
                "199291279638026700348763738412591521209",
                "2139725881103368918024213779611523902",
                "173283300070770028418730907068585477280",
                "13807149361249426386396659685052722812",
                "225372204863039360110731594248805780866",
                "106371346731207130321765225482609143051",
                "317303567779041714274559458258240458195",
                "133185021651410417147625674385889302672",
                "144958636281245224635966325855299807927",
                "339910142121647559224017065196864827564",
                "276773127508841465841325236415923293325"
            ]
        },
        "id": "CVE-2022-4361-976d8d8a",
        "signature_type": "Line",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java",
            "function": "getNormalizedRedirectUri"
        },
        "digest": {
            "length": 431.0,
            "function_hash": "68792696561126574327685194184914418093"
        },
        "id": "CVE-2022-4361-b425427f",
        "signature_type": "Function",
        "source": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a",
        "signature_version": "v1"
    }
]