Advisory ID: usd-2021-0033
Product: Password Keycloak
Affected Version: < 20.0.5
Vulnerability Type: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Security Risk: LOW
Vendor: Red Hat
Vendor URL: https://www.keycloak.org/security.html
CVE number: CVE-2022-1274
Affected Component(s)
PUT /{realm}/users/{id}/execute-actions-email (see documentation https://www.keycloak.org/docs-api/15.0/rest-api/index.html)
Introduction
The "execute-actions-email" endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users.
Proof of Concept
Please see screenshots provided.
-
An HTML link is inserted as an action parameter into the body of the Keycloak Admin REST API execute-actions-email PUT request. Payload: " Click <a href=\"https://www.usd.de\">HERE to reset your password"
-
The potentially malicious phishing link is rendered in the "Update Your Account" email that is sent to the specified Keycloak user.
-
When the Keycloak user clicks on the link, they are redirected to the URL specified in the injected HTML link.
Fix
It is recommended to consider any form of user-supplied input as potentially dangerous and not to process it further without a sufficient level of filtering.
In this case, HTML special characters should be encoded before the application embeds them into emails.
References
Timeline
2021-12-14: Vulnerability reported to the Responsibility Disclosure team of usd AG
2021-06-14: Sent reminder to vendor
2023-02-27: Issue fixed in Keycloak 20.0.5
2023-12-22: Publish advisory
Credits
This security vulnerability was found by Marcus Nilsson of usd AG.