Bug 1489161 (CVE-2017-12158)

Summary: CVE-2017-12158 keycloak: reflected XSS using HOST header
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdawidow, chazlett, dffrench, drieden, drusso, jmadigan, jshepherd, kpiwko, lgriffin, ngough, pdrozd, pwright, rrajasek, security-response-team, sthorger, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Keycloak 3.3.0.Final, Keycloak 3.4.0.Final Doc Type: If docs needed, set a value
Doc Text:
It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:56:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1484091    

Description Chess Hazlett 2017-09-06 20:31:18 UTC 
It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

Upstream issue:

https://issues.jboss.org/browse/KEYCLOAK-5225
Comment 1 Chess Hazlett 2017-10-17 16:12:25 UTC 
Acknowledgments:

Name: Mykhailo Stadnyk (Playtech)
Comment 2 errata-xmlrpc 2017-10-17 19:43:04 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2017:2906 https://access.redhat.com/errata/RHSA-2017:2906
Comment 3 errata-xmlrpc 2017-10-17 19:54:04 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 6

Via RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2904
Comment 4 errata-xmlrpc 2017-10-17 19:54:35 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 7

Via RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2905