Search for vulnerabilities
Vulnerability details: VCID-ffj4-zmgw-1kaj
Vulnerability ID VCID-ffj4-zmgw-1kaj
Aliases CVE-2022-2668
GHSA-wf7g-7h6h-678v
Summary Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-440 Expected Behavior Violation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2668.json
cvssv3.1 7.2 https://access.redhat.com/security/cve/CVE-2022-2668
generic_textual HIGH https://access.redhat.com/security/cve/CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
epss 0.00235 https://api.first.org/data/v1/epss?cve=CVE-2022-2668
cvssv3.1 7.2 https://bugzilla.redhat.com/show_bug.cgi?id=2115392
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=2115392
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wf7g-7h6h-678v
cvssv3.1 7.2 https://github.com/keycloak/keycloak
generic_textual HIGH https://github.com/keycloak/keycloak
cvssv3.1 7.2 https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c
generic_textual HIGH https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c
cvssv3.1 7.2 https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
cvssv3.1_qr HIGH https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
generic_textual HIGH https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
cvssv3.1 7.2 https://nvd.nist.gov/vuln/detail/CVE-2022-2668
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-2668
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2668.json
https://access.redhat.com/security/cve/CVE-2022-2668
https://api.first.org/data/v1/epss?cve=CVE-2022-2668
https://bugzilla.redhat.com/show_bug.cgi?id=2115392
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c
https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
https://nvd.nist.gov/vuln/detail/CVE-2022-2668
cpe:2.3:a:redhat:keycloak:18.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:18.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
GHSA-wf7g-7h6h-678v https://github.com/advisories/GHSA-wf7g-7h6h-678v
RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782
RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783
RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787
RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409
RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410
RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411
RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2668.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/security/cve/CVE-2022-2668
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2115392
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2668
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.46444
EPSS Score 0.00235
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:00:37.690424+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-wf7g-7h6h-678v/GHSA-wf7g-7h6h-678v.json 37.0.0