A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2023:1043 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2023:1044 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2023:1045 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2023:1049 | Vendor Advisory |
https://access.redhat.com/security/cve/CVE-2022-4137 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2148496 | Issue Tracking Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2023-09-25T19:17:55.522Z
Updated: 2024-05-03T15:32:27.111Z
Reserved: 2022-11-24T14:10:49.215Z
Link: CVE-2022-4137
JSON object: View
NVD Information
Status : Modified
Published: 2023-09-25T20:15:09.897
Modified: 2023-11-07T03:57:01.453
Link: CVE-2022-4137
JSON object: View
Redhat Information
No data.