Bug 1919143 (CVE-2021-20195) - CVE-2021-20195 keycloak: The Account console allows stored self-XSS via impersonation mechanism
Summary: CVE-2021-20195 keycloak: The Account console allows stored self-XSS via imper...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-20195
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1919124
TreeView+ depends on / blocked
 
Reported: 2021-01-22 08:56 UTC by Paramvir jindal
Modified: 2021-02-16 07:01 UTC (History)
40 users (show)

Fixed In Version: keycloak 13.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-16 07:01:53 UTC


Attachments (Terms of Use)

Description Paramvir jindal 2021-01-22 08:56:59 UTC
The Keycloak server is vulnerable to a Self Stored XSS attack vector, which can be escalated to a complete account takeover using additional attack techniques as specified below. Specifically, the Account page does not HTML-encode the user first name, and last name, which means a malicious HTML code, which executes malicious Javascript code, can be embedded into the Account page. Even though the malicious Javascript code is linked to the attacker user (Self-XSS), it can be exploited on the Keycloak admin browser, using the Impersonation functionality, and thus, the attacker is able to compromise Keycloak.

https://issues.redhat.com/browse/KEYCLOAK-16890

Comment 1 Paramvir jindal 2021-01-22 08:57:09 UTC
Acknowledgments:

Name: Amit Laish (GE Digital, Cyber Security Lab)

Comment 4 Paramvir jindal 2021-01-22 09:01:05 UTC
Recommendations:

    HTML encode the user first name, and last name, so when the browser receives it from the server, it is embedded into the HTML page and is not executed.
    Make sure to use CSP (Content Security Policy) browser protection mechanism.
    Reimplement the realms separation in such a manner that each realm is accessible by different subdomain. By doing so, SOP (Same Origin Policy) browser protection mechanism limits the attacker abilities, for example, the attacker should not be able to read the responses for its malicious requests in XSS scenarios.

Comment 10 Product Security DevOps Team 2021-02-16 07:01:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20195


Note You need to log in before you can comment on or make changes to this bug.