Bug 2253952 (CVE-2023-6717)

Summary: CVE-2023-6717 keycloak: XSS via assertion consumer service URL in SAML POST-binding flow
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, asoldano, ataylor, aveerama, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, dsimansk, ecerquei, eric.wittmann, fjuma, gercan, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jchui, jmartisk, jrokos, jross, kingland, ktsao, kverlaen, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nboldt, nwallace, olubyans, pantinor, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, pmackay, porcelli, probinso, pskopek, rgarg, rguimara, rhuss, rjohnson, rkieley, rowaters, rruss, rstancel, rsvoboda, rtaniwa, sausingh, sbiarozk, sdouglas, security-response-team, shbose, skontopo, smaestri, sthorger, tkral, tom.jenkinson, tqvarnst, ubhargav
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2253608    

Description TEJ RATHI 2023-12-11 08:34:32 UTC 
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:). Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. Thus, Keycloak is vulnerable to Cross-Site Scripting (XXS) by registering a JavaScript URI as Assertion Consumer Service POST Binding URL.
Comment 9 errata-xmlrpc 2024-04-16 20:26:29 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22.0.10

Via RHSA-2024:1868 https://access.redhat.com/errata/RHSA-2024:1868
Comment 10 errata-xmlrpc 2024-04-16 20:26:58 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:1867 https://access.redhat.com/errata/RHSA-2024:1867