Bug 2115392 (CVE-2022-2668)
| Summary: | CVE-2022-2668 keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | mulliken |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, boliveir, chazlett, pdrozd, pjindal, pskopek, sthorger |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | keycloak 19.0.2 | Doc Type: | --- |
| Doc Text: |
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-03 08:18:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2115393 | ||
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6.1 Via RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2668 |
Original report From @mposolda In the past we had CVE due the fact it was possible to upload javascripts directly through admin console. The ability to deploy scripts through admin console was deprecated and in Keycloak 18 (RH-SSO 7.6) removed entirely for: Javascript authorization policy Script based authenticator OIDC protocol mapper However it seems we have this ability still enabled for javascript based protocol mapper for SAML clients. I've checked with latest Keycloak and also with RH-SSO 7.6 and RH-SSO 7.5 that it is still possible to directly upload javascripts with the admin console with the usage of SAML javascript protocol mapper. This is possible even if SCRIPTS feature is disabled (and also UPLOAD_SCRIPTS in RH-SSO 7.5), which makes it even worse though... So administrator of SAML clients still has the ability to run arbitrary javascript code on the server (for example to read content of the file /etc/passwd and log it somewhere etc) IMO this can be classified as CVE and looks like something, which should be fixed soon and backported to RH-SSO 7.6 (I guess also 7.5 z-stream, not sure about 7.4 and if we are still required to support that one as z-stream).