CVE-2022-2668

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

Affected Software

Name	Vendor	Start Version	End Version
Keycloak	Redhat	18.0.0 (including)	18.0.0 (including)
Single_sign-on	Redhat	7.0 (including)	7.0 (including)
Red Hat Single Sign-On 7	RedHat	keycloak-saml-core	*
Red Hat Single Sign-On 7.5 for RHEL 7	RedHat	rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso	*
Red Hat Single Sign-On 7.5 for RHEL 8	RedHat	rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso	*
Red Hat Single Sign-On 7.6.1	RedHat	keycloak-saml-core	*
Red Hat Single Sign-On 7.6 for RHEL 7	RedHat	rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso	*
Red Hat Single Sign-On 7.6 for RHEL 8	RedHat	rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso	*
Red Hat Single Sign-On 7.6 for RHEL 9	RedHat	rh-sso7-0:1-5.el9sso	*
Red Hat Single Sign-On 7.6 for RHEL 9	RedHat	rh-sso7-javapackages-tools-0:6.0.0-7.el9sso	*
Red Hat Single Sign-On 7.6 for RHEL 9	RedHat	rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-2668
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References