CVE-2022-4137

HIGH LAB

Redhat Keycloak < 20.0.5 - XSS

Title source: rule

Description

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Exploits (1)

nomisec STUB
by shoucheng3 · poc
https://github.com/shoucheng3/keycloak__keycloak_CVE-2022-4137_20-0-3

References (6)

Scores

CVSS v3 8.1
EPSS 0.0053
EPSS Percentile 67.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull registry.access.redhat.com/ubi8-minimal
docker pull registry:2
docker pull jboss/base-jdk:8
docker pull google/cadvisor:v0.26.1
docker pull grafana/grafana:4.4.3

Details

CWE
CWE-81 CWE-79
Status published
Products (3)
org.keycloak/keycloak-parent 0 - 20.0.5Maven
redhat/keycloak
redhat/single_sign-on 7.6
Published Sep 25, 2023
Tracked Since Feb 18, 2026