{"id":"CVE-2022-4361","details":"Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.","aliases":["GHSA-3p62-6fjh-3p5h"],"modified":"2026-04-12T03:22:19.769815Z","published":"2023-07-07T20:15:09.813Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2151618"},{"type":"FIX","url":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keycloak/keycloak","events":[{"introduced":"0"},{"fixed":"99774b3f7a776476e7f04e472e13e3915971a6fb"},{"fixed":"a1cfe6e24e5b34792699a00b8b4a8016a5929e3a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"21.1.2"}]}}],"versions":["1.0-alpha-1","1.0-alpha-1-12062013","1.0-alpha-2","1.0-alpha-3","1.0-beta-1","1.0-beta-2","1.0-beta-4","1.0-final","1.0-rc-1","1.0.0.Final","1.1.0.Beta2","1.3.0.Final","2.4.0.Test"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"length":889,"function_hash":"162419661588290410253194893523694962201"},"deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java","function":"matchesRedirects"},"id":"CVE-2022-4361-02ff1647","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"length":414,"function_hash":"49195714772931502885929669216117149658"},"deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java","function":"resolveValidRedirects"},"id":"CVE-2022-4361-19a9f6ee","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"length":1607,"function_hash":"324295965197083123055007845864519904269"},"deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java","function":"verifyRedirectUri"},"id":"CVE-2022-4361-5ea24910","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"line_hashes":["218285995002526502236412891927405441265","323881776217991790380402730320821759924","239470406334422613240302194341471952723","9283435826492671502289758732815251667","94442937322120503682751036960782425464","14176925072626382320197488178553553665"],"threshold":0.9},"deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BasicSamlTest.java"},"id":"CVE-2022-4361-6e0df4ad","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"line_hashes":["21393447413080957042999660415923345611","330757768336987817297661345579604667326","13459450449724664373668402449700994489","178607642621736380456687376956078023875","196443210634696092726533943257197378466","268314210794145899078300254112733382291","338935507404355852554232444201699988139","249164690452926811467512141496890517307","96429089629430284568547175640136965557","166436106521150564559236128476320867363","126342621267388441756277966211578374211"],"threshold":0.9},"deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java"},"id":"CVE-2022-4361-9258a5f0","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"line_hashes":["320044748034175025693719119813189116705","240948519832516623025022441153166981078","199271067641313861725612287239776612858","78785256245707145533495248931698913610","39001674815853740356212243631691558295","158070856765640224426752636073590182644","325805103490268361775301515937835570084","309945801688743170081803218661810162884","9026029101350044121418485412974360172","302271492078456126691382976183210737829","72016895114100159762526692331305669274","60482759618223911768953948776991064317","42713839843729437767286001130141561380","162351203056570365543595698489470734605","53414782076404410972754961357935376892","8137894453736494140474930296345687355","232358180059108653025229367092666065586","244896814544226850794159499764195758619","18496353455081435645734157927075925557","19355464449594884736160226064108216640","56627407109494278815545237223639689190","81422403828285409907796783913042674851","253484701549231087092037535457854832290","302919981984585027108576595026925676908","224635296052577918910367052282655109711","250066301752307082514231310953027829206","96697147081832703439173566881066286722","294616335260830423653557876733152340065","178857383300088815683888794476595166576","18838507332067548566321031319866791677","103232518481820287912543312065296363612","203714619589132201837781054796004044145","188830553252186369744291903190357305036","34369258319653589711812876680727707313","231490248079508540030354296080689510671","183681560773190326218877214952084356159","268697522414795794554537365202258852855","329159277664453004117366629142128111755","43117666934305862447370599037567690677","323209100149251942963907852266870927099","243333316162508045117700467971356675463","136353522893459943994047373945746878309","148175232626730612994081486700947435540","13333557960514413809273552246216766845","336404108204059135045481586579746593206","148136436887164206788240615518950867790","80902547330954605275798859333312404691","199291279638026700348763738412591521209","2139725881103368918024213779611523902","173283300070770028418730907068585477280","13807149361249426386396659685052722812","225372204863039360110731594248805780866","106371346731207130321765225482609143051","317303567779041714274559458258240458195","133185021651410417147625674385889302672","144958636281245224635966325855299807927","339910142121647559224017065196864827564","276773127508841465841325236415923293325"],"threshold":0.9},"deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"},"id":"CVE-2022-4361-976d8d8a","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a","digest":{"length":431,"function_hash":"68792696561126574327685194184914418093"},"deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java","function":"getNormalizedRedirectUri"},"id":"CVE-2022-4361-b425427f","signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T03:22:19Z","unresolved_ranges":[{"events":[{"introduced":"7.6"},{"fixed":"7.6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.12"}]},{"events":[{"introduced":"0"},{"last_affected":"4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4361.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}