CVE-2022-4137

Improper Neutralization of Script in an Error Message Web Page (CWE-81)

Published: Mar 1, 2023 / Updated: 20mo ago

010
CVSS 6.1EPSS 0.04%Medium
CVE info copied to clipboard

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2022-4137. See article

Mar 1, 2023 at 2:19 PM / access.redhat.com
CVE Assignment

NVD published the first details for CVE-2022-4137

Sep 25, 2023 at 8:15 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.5%)

Sep 26, 2023 at 5:29 PM
Static CVE Timeline Graph

Affected Systems

Redhat/keycloak
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-198: XSS Targeting Error Pages
+null more

Vendor Advisory

CVE-2022-4137
This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. CWE-81: Improper Neutralization of Script in an Error Message Web Page

References

(CVE-2022-4137) CVE-2022-4137 keycloak: reflected XSS attack
This site requires JavaScript to be enabled to function correctly, please enable it.
RHSA-2023:1044: Important: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
RHSA-2023:1043: Important: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
See 1 more references

News

NA - CVE-2022-4137 - A reflected cross-site scripting (XSS)...
This may compromise user details, allowing it to be changed or collected by an attacker. This flaw requires a user or administrator to interact with a link in order to be vulnerable.
CVE-2022-4137
This whitethorn compromise idiosyncratic details, allowing it to beryllium changed oregon collected by an attacker. We person provided these links to different web sites due to the fact that they may person accusation that would beryllium of involvement to you.
CVE-2022-4137 (keycloak, single_sign-on)
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
CVE-2022-4137
We have provided these links to other web sites because they This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page.
CVE-2022-4137
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
See 27 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI