A flaw was discovered in Keycloak Core package. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular attributes in the users attributes. The password is also created, but the user attributes must not be there. This way, any entities (all users and clients with proper rights/roles) are able to retrieve the users passwords in clear-text. A malicious user with minimal access reading other users attributes could have access to their password and hence jeopardize the environment. This shall only affect Keycloak 22.0.2. While Keycloak 22.0.1 is not affected.
https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35