Bug 1919143 (CVE-2021-20195)

Summary: CVE-2021-20195 keycloak: The Account console allows stored self-XSS via impersonation mechanism
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, bibryam, chazlett, cmoulliard, dkreling, drieden, etirelli, ganandan, ggaughan, gmalinko, hbraun, ibek, ikanello, janstey, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, pantinor, pdrozd, pgallagh, pjindal, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 13.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-16 07:01:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1919124    

Description Paramvir jindal 2021-01-22 08:56:59 UTC
The Keycloak server is vulnerable to a Self Stored XSS attack vector, which can be escalated to a complete account takeover using additional attack techniques as specified below. Specifically, the Account page does not HTML-encode the user first name, and last name, which means a malicious HTML code, which executes malicious Javascript code, can be embedded into the Account page. Even though the malicious Javascript code is linked to the attacker user (Self-XSS), it can be exploited on the Keycloak admin browser, using the Impersonation functionality, and thus, the attacker is able to compromise Keycloak.

https://issues.redhat.com/browse/KEYCLOAK-16890

Comment 1 Paramvir jindal 2021-01-22 08:57:09 UTC
Acknowledgments:

Name: Amit Laish (GE Digital, Cyber Security Lab)

Comment 4 Paramvir jindal 2021-01-22 09:01:05 UTC
Recommendations:

    HTML encode the user first name, and last name, so when the browser receives it from the server, it is embedded into the HTML page and is not executed.
    Make sure to use CSP (Content Security Policy) browser protection mechanism.
    Reimplement the realms separation in such a manner that each realm is accessible by different subdomain. By doing so, SOP (Same Origin Policy) browser protection mechanism limits the attacker abilities, for example, the attacker should not be able to read the responses for its malicious requests in XSS scenarios.

Comment 10 Product Security DevOps Team 2021-02-16 07:01:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20195