Action not permitted
Modal body text goes here.
Modal Title
Modal Body
ghsa-8rmm-gm28-pj8q
Vulnerability from github
Published
2024-04-17 17:33
Modified
2024-08-29 21:31
Severity ?
Summary
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Details
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).
Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.
Acknowledgements:
Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.keycloak:keycloak-services" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "22.0.10" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.keycloak:keycloak-services" }, "ranges": [ { "events": [ { "introduced": "23.0.0" }, { "fixed": "24.0.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-6717" ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-601", "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-04-17T17:33:04Z", "nvd_published_at": "2024-04-25T16:15:10Z", "severity": "MODERATE" }, "details": "Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).\n\nAllowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.\n\n#### Acknowledgements:\nSpecial thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.", "id": "GHSA-8rmm-gm28-pj8q", "modified": "2024-08-29T21:31:02Z", "published": "2024-04-17T17:33:04Z", "references": [ { "type": "WEB", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-8rmm-gm28-pj8q" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6717" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:1353" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-6717" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952" }, { "type": "PACKAGE", "url": "https://github.com/keycloak/keycloak" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L", "type": "CVSS_V3" } ], "summary": "Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow" }
cve-2023-6717
Vulnerability from cvelistv5
Published
2024-04-25 16:02
Modified
2024-12-20 13:24
Severity ?
EPSS score ?
Summary
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1353 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1867 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1868 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2945 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4057 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2023-6717 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat AMQ Broker 7 |
cpe:/a:redhat:amq_broker:7.12 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-6717", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-04-25T19:15:14.697195Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:16:59.611Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T08:35:14.887Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:4057", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-6717" }, { "name": "RHBZ#2253952", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7.12" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-operator-bundle", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22.0.10-1", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-13", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9-operator", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-16", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:22" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat build of Keycloak 22.0.10", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-data-index-ephemeral-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-data-index-postgresql-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-operator-bundle", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-rhel8-operator", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-swf-builder-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-swf-devmode-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" ], "defaultStatus": "unaffected", "product": "RHPAM 7.13.5 async", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6" ], "defaultStatus": "affected", "packageName": "mta/mta-ui-rhel8", "product": "Migration Toolkit for Applications 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:7" ], "defaultStatus": "affected", "packageName": "mta/mta-ui-rhel9", "product": "Migration Toolkit for Applications 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhdh:1" ], "defaultStatus": "affected", "packageName": "rhdh-hub-container", "product": "Red Hat Developer Hub", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "org.keycloak-keycloak-parent", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "rh-sso7-keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_gitops:1" ], "defaultStatus": "affected", "packageName": "openshift-gitops-1/gitops-rhel8-operator", "product": "Red Hat OpenShift GitOps", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" } ], "datePublic": "2024-04-16T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-20T13:24:39.697Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1353", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1353" }, { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:4057", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-6717" }, { "name": "RHBZ#2253952", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952" } ], "timeline": [ { "lang": "en", "time": "2023-12-11T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-04-16T00:00:00+00:00", "value": "Made public." } ], "title": "Keycloak: xss via assertion consumer service url in saml post-binding flow", "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-6717", "datePublished": "2024-04-25T16:02:03.267Z", "dateReserved": "2023-12-12T07:30:43.924Z", "dateUpdated": "2024-12-20T13:24:39.697Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.