Search for vulnerabilities
Vulnerability details: VCID-9czu-nrqb-kfec
Vulnerability ID VCID-9czu-nrqb-kfec
Aliases CVE-2022-2256
GHSA-w9mf-83w3-fv49
Summary Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. ### CVSS 3.1 - **3.8** **Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N **Vector Clarification:** * User interaction is not required as the admin console is regularly used during an administrator's work * The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 3.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2256.json
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
epss 0.00308 https://api.first.org/data/v1/epss?cve=CVE-2022-2256
cvssv3.1 5.4 https://bugzilla.redhat.com/show_bug.cgi?id=2101942
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2101942
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-w9mf-83w3-fv49
cvssv3.1 5.4 https://github.com/keycloak/keycloak
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1 5.4 https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d9
generic_textual MODERATE https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d9
cvssv3.1 5.4 https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49
cvssv3.1_qr MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49
generic_textual MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49
cvssv3.1 3.8 https://nvd.nist.gov/vuln/detail/CVE-2022-2256
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-2256
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-2256
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2256.json
https://api.first.org/data/v1/epss?cve=CVE-2022-2256
https://bugzilla.redhat.com/show_bug.cgi?id=2101942
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d9
https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49
https://nvd.nist.gov/vuln/detail/CVE-2022-2256
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
GHSA-w9mf-83w3-fv49 https://github.com/advisories/GHSA-w9mf-83w3-fv49
RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782
RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783
RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2256.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2101942
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2256
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2256
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.53494
EPSS Score 0.00308
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:00:37.001645+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-w9mf-83w3-fv49/GHSA-w9mf-83w3-fv49.json 37.0.0