Bug 2115392 (CVE-2022-2668) - CVE-2022-2668 keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console
Summary: CVE-2022-2668 keycloak: Uploading of SAML javascript protocol mapper scripts ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2668
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2115393
TreeView+ depends on / blocked
 
Reported: 2022-08-04 15:04 UTC by Joshua Mulliken
Modified: 2022-12-03 08:18 UTC (History)
7 users (show)

Fixed In Version: keycloak 19.0.2
Doc Type: ---
Doc Text:
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
Clone Of:
Environment:
Last Closed: 2022-12-03 08:18:11 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6782 0 None None None 2022-10-04 15:38:46 UTC
Red Hat Product Errata RHSA-2022:6783 0 None None None 2022-10-04 15:42:30 UTC
Red Hat Product Errata RHSA-2022:6787 0 None None None 2022-10-04 15:54:29 UTC
Red Hat Product Errata RHSA-2022:7409 0 None None None 2022-11-03 14:51:59 UTC
Red Hat Product Errata RHSA-2022:7410 0 None None None 2022-11-03 14:51:36 UTC
Red Hat Product Errata RHSA-2022:7411 0 None None None 2022-11-03 14:52:45 UTC
Red Hat Product Errata RHSA-2022:7417 0 None None None 2022-11-03 15:15:43 UTC

Description Joshua Mulliken 2022-08-04 15:04:03 UTC 
Original report

From @mposolda

In the past we had CVE due the fact it was possible to upload
javascripts directly through admin console. The ability to deploy
scripts through admin console was deprecated and in Keycloak 18 (RH-SSO
7.6) removed entirely for:

    Javascript authorization policy
    Script based authenticator
    OIDC protocol mapper

However it seems we have this ability still enabled for javascript based
protocol mapper for SAML clients. I've checked with latest Keycloak and
also with RH-SSO 7.6 and RH-SSO 7.5 that it is still possible to
directly upload javascripts with the admin console with the usage of
SAML javascript protocol mapper. This is possible even if SCRIPTS
feature is disabled (and also UPLOAD_SCRIPTS in RH-SSO 7.5), which makes
it even worse though... So administrator of SAML clients still has the
ability to run arbitrary javascript code on the server (for example to
read content of the file /etc/passwd and log it somewhere etc)

IMO this can be classified as CVE and looks like something, which should
be fixed soon and backported to RH-SSO 7.6 (I guess also 7.5 z-stream,
not sure about 7.4 and if we are still required to support that one as
z-stream).
Comment 3 errata-xmlrpc 2022-10-04 15:38:43 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782
Comment 4 errata-xmlrpc 2022-10-04 15:42:28 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783
Comment 5 errata-xmlrpc 2022-10-04 15:54:26 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787
Comment 7 errata-xmlrpc 2022-11-03 14:51:35 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410
Comment 8 errata-xmlrpc 2022-11-03 14:51:57 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409
Comment 9 errata-xmlrpc 2022-11-03 14:52:43 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411
Comment 10 errata-xmlrpc 2022-11-03 15:15:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6.1

Via RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417
Comment 11 Product Security DevOps Team 2022-12-03 08:18:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2668
Note You need to log in before you can comment on or make changes to this bug.