CVE-2022-4361

CRITICAL LAB

Keycloak < 21.1.2 - Cross-Site Scripting via AssertionConsumerServiceURL or redirect_uri

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-4361. PoCs published by faccimatteo, shoucheng3.

AI-analyzed exploit summary This PoC exploits CVE-2022-4361, an open redirect vulnerability in Keycloak that can lead to reflected XSS. It crafts a malicious authentication URL with a JavaScript payload in the 'redirect_uri' parameter and sets 'response_mode' to 'form_post' to trigger the vulnerability.

Description

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

Exploits (2)

nomisec WORKING POC 1 stars

by faccimatteo · poc

https://github.com/faccimatteo/CVE-2022-4361

View Code ZIP pw:eip

This PoC exploits CVE-2022-4361, an open redirect vulnerability in Keycloak that can lead to reflected XSS. It crafts a malicious authentication URL with a JavaScript payload in the 'redirect_uri' parameter and sets 'response_mode' to 'form_post' to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Keycloak versions <= 21.1.1

No auth needed

Prerequisites: Vulnerable Keycloak instance with OIDC configured · Access to the Keycloak login endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/keycloak__keycloak_CVE-2022-4361_21-1-1

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2022-4361, targeting Keycloak. The exploit involves manipulating FIPS mode settings and includes scripts for testing and validation.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Keycloak

No auth needed

Prerequisites: Access to the target system · Ability to run scripts

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Issue Tracking, Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2151618

Patch

https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a

View Patch ZIP pw:eip

Scores

CVSS v3 10.0

EPSS 0.0056

EPSS Percentile 42.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull registry.access.redhat.com/ubi9-micro

docker pull registry:2

docker pull quay.io/keycloak/keycloak:21.1.1

https://github.com/shoucheng3/keycloak__keycloak_CVE-2022-4361_21-1-1

https://github.com/faccimatteo/CVE-2022-4361

https://github.com/keycloak/keycloak

View in Library

Details

CWE

CWE-79 CWE-81

Status published

Products (10)

org.keycloak/keycloak-services 0 - 21.1.2Maven

redhat/keycloak < 21.1.2

redhat/openshift_container_platform 4.11

redhat/openshift_container_platform 4.12

redhat/openshift_container_platform_for_ibm_linuxone 4.9

redhat/openshift_container_platform_for_ibm_linuxone 4.10

redhat/openshift_container_platform_for_power 4.9

redhat/openshift_container_platform_for_power 4.10

redhat/single_sign-on

redhat/single_sign-on 7.6 - 7.6.4

Published Jul 07, 2023

Tracked Since Feb 18, 2026