Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-b7wt-ds9h-9bcu

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Aliases

alias	CVE-2022-4137

alias	GHSA-9hhc-pj4w-w5rv

alias	GMS-2023-616

Fixed_packages

Affected_packages

url pkg:maven/org.keycloak/keycloak-core@None

purl pkg:maven/org.keycloak/keycloak-core@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@None

url pkg:maven/org.keycloak/keycloak-model-infinispan@None

purl pkg:maven/org.keycloak/keycloak-model-infinispan@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-model-infinispan@None

url pkg:maven/org.keycloak/keycloak-model-jpa@None

purl pkg:maven/org.keycloak/keycloak-model-jpa@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-model-jpa@None

url pkg:maven/org.keycloak/keycloak-parent@None

purl pkg:maven/org.keycloak/keycloak-parent@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-3gsk-s8fd-cqgs

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@None

url pkg:maven/org.keycloak/keycloak-saml-core-public@None

purl pkg:maven/org.keycloak/keycloak-saml-core-public@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-saml-core-public@None

url pkg:maven/org.keycloak/keycloak-server-spi-private@None

purl pkg:maven/org.keycloak/keycloak-server-spi-private@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-server-spi-private@None

url pkg:maven/org.keycloak/keycloak-services@None

purl pkg:maven/org.keycloak/keycloak-services@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-3gsk-s8fd-cqgs

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@None

url pkg:maven/org.keycloak/keycloak-wildfly-server-subsystem@None

purl pkg:maven/org.keycloak/keycloak-wildfly-server-subsystem@None

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38u7-pvx6-ayb4

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-wildfly-server-subsystem@None

url pkg:npm/keycloak-connect@0.0.0

purl pkg:npm/keycloak-connect@0.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7wt-ds9h-9bcu

vulnerability	VCID-e5va-tex4-5yea

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keycloak-connect@0.0.0

References

reference_url	https://access.redhat.com/errata/RHSA-2023:1043
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1043

reference_url	https://access.redhat.com/errata/RHSA-2023:1044
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1044

reference_url	https://access.redhat.com/errata/RHSA-2023:1045
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1045

reference_url	https://access.redhat.com/errata/RHSA-2023:1049
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1049

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2148496
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2148496

reference_url	https://github.com/keycloak/keycloak/commit/30d0e9d22dae51392e5a3748a1c68c116667359a
reference_id
reference_type
scores
url	https://github.com/keycloak/keycloak/commit/30d0e9d22dae51392e5a3748a1c68c116667359a

reference_url	https://github.com/keycloak/keycloak/pull/16774
reference_id
reference_type
scores
url	https://github.com/keycloak/keycloak/pull/16774

reference_url	https://access.redhat.com/security/cve/CVE-2022-4137
reference_id	CVE-2022-4137
reference_type
scores
url	https://access.redhat.com/security/cve/CVE-2022-4137

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-4137
reference_id	CVE-2022-4137
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-4137

reference_url	https://github.com/advisories/GHSA-9hhc-pj4w-w5rv
reference_id	GHSA-9hhc-pj4w-w5rv
reference_type
scores
url	https://github.com/advisories/GHSA-9hhc-pj4w-w5rv

reference_url	https://github.com/keycloak/keycloak/security/advisories/GHSA-9hhc-pj4w-w5rv
reference_id	GHSA-9hhc-pj4w-w5rv
reference_type
scores
url	https://github.com/keycloak/keycloak/security/advisories/GHSA-9hhc-pj4w-w5rv

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	79
name	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b7wt-ds9h-9bcu

Vulnerability Instance