Keycloak SAML mapper allows arbitrary JS upload despite UPLOAD_SCRIPTS disabled
CVE-2022-2668 Published on August 5, 2022
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled
Products Associated with CVE-2022-2668
stack.watch emails you whenever new vulnerabilities are published in Red Hat Single Sign On or Red Hat Keycloak. Just hit a watch button to start following.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-2668
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.keycloak:keycloak-parent | < 19.0.2 | 19.0.2 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.