Is the keycloak in DevTest 10.6 Vulnerable to Keycloak Vulnerability Finding ID: VUF-22995229

book

Article ID: 211467

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

We received the below Vulnerability Alert about Keycloak.
we need to know if the version of Keycloak delivered with DevTest 10.6 is affected by this.

Vulnerability Finding ID: VUF-22995229
Vulnerability Finding Name: Red Hat Keycloak New Account Console Referrer URL Reflected XSS  
Severity: Medium
Discussion: Red Hat Keycloak New Account Console Referrer URL Reflected XSS. Red Hat Keycloak contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the new account console does not properly sanitize input to the referrer URL before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that executes arbitrary script code in a user's browser session within the trust relationship between their browser and the server.  
CVSS Score: 4.3
Product: Red Hat [Keycloak (12.0.2)]

 

Environment

DevTest 10.6

CA Service Virtualization

Resolution

Comment:
in Keycloak 11.0.1 the account console is like the below screen 

And in below link, if you open the pdf for the new Account Console is different than what we have in 11.0.1
https://issues.redhat.com/browse/KEYCLOAK-6197

Hence we may say this page is not being used in keycloak 11.0.1 and the vulnerability reported is not for the version we shipped to the customer.

I have tested and this New Account console we are not using in IAM.
So this vulnerability is not applicable to our IAM.

Attachments