CVE-2022-2668: Keycloak allows arbitrary Javascript to be uploaded for SAML protocol mapper even if UPLOAD_SCRIPTS feature disabled

August 6, 2022 (updated August 18, 2022)

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

References

access.redhat.com/security/cve/CVE-2022-2668
bugzilla.redhat.com/show_bug.cgi?id=2115392
github.com/advisories/GHSA-q2gp-gph3-88x9
nvd.nist.gov/vuln/detail/CVE-2022-2668

Code Behaviors & Features

Detect and mitigate CVE-2022-2668 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →