CVE-2022-3782

CRITICAL LAB

Redhat Keycloak < 20.0.2 - Path Traversal

Title source: rule

Description

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.

Exploits (1)

nomisec STUB

by shoucheng3 · poc

https://github.com/shoucheng3/keycloak__keycloak_CVE-2022-3782_20-0-1

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2022-3782

Scores

CVSS v3 9.1

EPSS 0.0012

EPSS Percentile 30.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull registry.access.redhat.com/ubi8-minimal

docker pull registry:2

docker pull jboss/base-jdk:8

docker pull google/cadvisor:v0.26.1

docker pull grafana/grafana:4.4.3

https://github.com/shoucheng3/keycloak__keycloak_CVE-2022-3782_20-0-1

View in Library

Details

CWE

CWE-22

Status published

Products (2)

org.keycloak/keycloak-parent 0 - 20.0.2Maven

redhat/keycloak 20.0.2

Published Jan 13, 2023

Tracked Since Feb 18, 2026