An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled,

Keycloak SAML Protocol Mapper JavaScript Upload Remote Code Execution. Keycloak contains a flaw in the SAML Protocol Mapper that is triggered as JavaScript is not properly restricted from being uploaded.

This may allow an authenticated, remote attacker to potentially execute arbitrary code.

CVSS Score: 7.1
CVE-ID: CVE-2022-2668

Product:  Red Hat [Red Hat Single Sign-On (7)], Keycloak [Keycloak (17.0.1)]

All supported DevTest releases.

Component : DevTest Vulnerability

N/A

DevTest is not using SAML Protocol Mapper for SSO in its Keycloak. The only option displayed or using is OpenId connect.

It's a false positive and can be safely ignored.

The UPLOAD_SCRIPTS tag is for the upload button that comes on the page for SSO off SAML protocol which DevTest has not added.