Advisory ID: usd-2021-0033
Product: Password Keycloak
Affected Version: < 20.0.5
Vulnerability Type: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Security Risk: LOW
Vendor: Red Hat
Vendor URL: https://www.keycloak.org/security.html
CVE number: CVE-2022-1274

Affected Component(s)

PUT /{realm}/users/{id}/execute-actions-email (see documentation https://www.keycloak.org/docs-api/15.0/rest-api/index.html)

Introduction

The "execute-actions-email" endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users.

Proof of Concept

Please see screenshots provided.

  1. An HTML link is inserted as an action parameter into the body of the Keycloak Admin REST API execute-actions-email PUT request. Payload: " Click <a href=\"https://www.usd.de\">HERE to reset your password"

  2. The potentially malicious phishing link is rendered in the "Update Your Account" email that is sent to the specified Keycloak user.

  3. When the Keycloak user clicks on the link, they are redirected to the URL specified in the injected HTML link.

Fix

It is recommended to consider any form of user-supplied input as potentially dangerous and not to process it further without a sufficient level of filtering.
In this case, HTML special characters should be encoded before the application embeds them into emails.

References

Timeline

2021-12-14: Vulnerability reported to the Responsibility Disclosure team of usd AG
2021-06-14: Sent reminder to vendor
2023-02-27: Issue fixed in Keycloak 20.0.5
2023-12-22: Publish advisory

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.