Bug 1924606 (CVE-2021-20222) - CVE-2021-20222 keycloak: reflected XSS attack with referrer in new account console
Summary: CVE-2021-20222 keycloak: reflected XSS attack with referrer in new account co...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-20222
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1922216 (view as bug list)
Depends On:
Blocks: 1922217 1924595 1929062
TreeView+ depends on / blocked
 
Reported: 2021-02-03 10:02 UTC by Paramvir jindal
Modified: 2023-09-25 05:48 UTC (History)
42 users (show)

Fixed In Version: keycloak 13.0.0
Clone Of:
Environment:
Last Closed: 2021-02-16 07:01:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Paramvir jindal 2021-02-03 10:02:27 UTC 
Attacker can attach malicious code using the referrer URL using new account console.

https://issues.redhat.com/browse/KEYCLOAK-17033
Comment 6 Paramvir jindal 2021-02-04 06:48:03 UTC 
Acknowledgments:

Name: Manh Van Nguyen ( ManhNV) (email: nguyenmanh0397)
Comment 8 Product Security DevOps Team 2021-02-16 07:01:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20222
Comment 9 Paramvir jindal 2021-02-18 06:35:43 UTC 
*** Bug 1922216 has been marked as a duplicate of this bug. ***
Comment 10 ajaiswal595 2021-03-09 13:09:16 UTC 
Hi Team,
Can you please let me know if this vulnerability is present in Keycloak 11.0.1?
Thanks,
Ajay Jaiswal
Comment 11 Paramvir jindal 2021-03-10 17:03:30 UTC 
(In reply to ajaiswal595 from comment #10)
> Hi Team,
> Can you please let me know if this vulnerability is present in Keycloak
> 11.0.1?
> Thanks,
> Ajay Jaiswal

Hi Ajay,

This vulnerability is present in keycloak's New Account console which was first introduced in keycloak version 9.
https://issues.redhat.com/browse/KEYCLOAK-6197

However in keycloak version 11.0.1, this new account console is available but not enabled by default and also a tech preview feature.
So I would say the vulnerability is present in keycloak version 11.0.1 but in a tech preview feature and also need to be explicitly enabled by adding some system properties at starting up the server. This would make it a Low impact Vulnerability.

This issue has been fixed in keycloak version 12.0.3 via the below PR
https://github.com/keycloak/keycloak-prod/pull/421

Note : This Pull Request is for internal repo so you would need access for keycloak-prod to see the PR.

Hope this helps!

-Param
Comment 12 ajaiswal595 2021-03-11 07:07:58 UTC 
Thanks, Param for your response,

How would I get access to the PR https://github.com/keycloak/keycloak-prod/pull/421 ?

If any lead would be great.


Regards 
-Ajay
Comment 13 ajaiswal595 2021-04-06 13:24:48 UTC 
How to enable new account console feature in Keycloak 11.0.1 which is tech preview feature.

I tried looking into standalone.xml but did not see any feature tag provided by default.
Comment 14 Paramvir jindal 2021-04-09 14:43:00 UTC 
(In reply to ajaiswal595 from comment #13)
> How to enable new account console feature in Keycloak 11.0.1 which is tech
> preview feature.
> 
> I tried looking into standalone.xml but did not see any feature tag provided
> by default.

Use these below system properties while starting the keycloak server :

-Dkeycloak.profile.feature.account_api=enabled -Dkeycloak.profile.feature.account2=enabled

and choose "preview" account console theme from the admin console Themes tab.
Note You need to log in before you can comment on or make changes to this bug.