CVE-2022-0225

Aliases:GHSA-fqc7-5xxc-ph7r

Advisory lineage Upstream: 0 Downstream: 5

Downstream

RHSA-2022:6782 RHSA-2022:6783 RHSA-2022:7409 RHSA-2022:7410 RHSA-2022:7411

Modified

Published: 26 Aug 2022, 17:25

Last modified:02 Aug 2024, 23:18

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

5.4 MEDIUM

v3.1 (nvd)

EPSS Score

0.51% LOW

1% probability +0.08%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

26 Aug 2022, 17:25

Published

Vulnerability first disclosed

02 Aug 2024, 23:18

Last Modified

Vulnerability information updated

Description

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.

CVSS Metrics

v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.51%• Percentile: 67%

Techniques & Countermeasures

CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

org.keycloak•keycloak-core
≤ 16.1.0
redhat•keycloak
na
redhat•single_sign-on
7.0