Bug 1924606 (CVE-2021-20222)
| Summary: | CVE-2021-20222 keycloak: reflected XSS attack with referrer in new account console | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Paramvir jindal <pjindal> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, ajaiswal595, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, bibryam, chazlett, cmoulliard, dkreling, drieden, etirelli, ganandan, ggaughan, gmalinko, hbraun, ibek, ikanello, janstey, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, pantinor, pdrozd, pgallagh, pjindal, psampaio, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | keycloak 13.0.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-16 07:01:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1922217, 1924595, 1929062 | ||
|
Description
Paramvir jindal
2021-02-03 10:02:27 UTC
Acknowledgments: Name: Manh Van Nguyen ( ManhNV) (email: nguyenmanh0397) This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20222 *** Bug 1922216 has been marked as a duplicate of this bug. *** Hi Team, Can you please let me know if this vulnerability is present in Keycloak 11.0.1? Thanks, Ajay Jaiswal (In reply to ajaiswal595 from comment #10) > Hi Team, > Can you please let me know if this vulnerability is present in Keycloak > 11.0.1? > Thanks, > Ajay Jaiswal Hi Ajay, This vulnerability is present in keycloak's New Account console which was first introduced in keycloak version 9. https://issues.redhat.com/browse/KEYCLOAK-6197 However in keycloak version 11.0.1, this new account console is available but not enabled by default and also a tech preview feature. So I would say the vulnerability is present in keycloak version 11.0.1 but in a tech preview feature and also need to be explicitly enabled by adding some system properties at starting up the server. This would make it a Low impact Vulnerability. This issue has been fixed in keycloak version 12.0.3 via the below PR https://github.com/keycloak/keycloak-prod/pull/421 Note : This Pull Request is for internal repo so you would need access for keycloak-prod to see the PR. Hope this helps! -Param Thanks, Param for your response, How would I get access to the PR https://github.com/keycloak/keycloak-prod/pull/421 ? If any lead would be great. Regards -Ajay How to enable new account console feature in Keycloak 11.0.1 which is tech preview feature. I tried looking into standalone.xml but did not see any feature tag provided by default. (In reply to ajaiswal595 from comment #13) > How to enable new account console feature in Keycloak 11.0.1 which is tech > preview feature. > > I tried looking into standalone.xml but did not see any feature tag provided > by default. Use these below system properties while starting the keycloak server : -Dkeycloak.profile.feature.account_api=enabled -Dkeycloak.profile.feature.account2=enabled and choose "preview" account console theme from the admin console Themes tab. |