Vulnerability Description
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Keycloak | < 20.0.5 |
| Redhat | Single Sign-On | - |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Openshift Container Platform | 4.9 |
| Redhat | Enterprise Linux For Ibm Z Systems | 8.0 |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.0 |
| Redhat | Enterprise Linux For Power Little Endian | 8.0 |
| Redhat | Enterprise Linux For Power Little Endian Eus | 8.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2073157Issue TrackingVendor Advisory
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725Third Party Advisory
- https://herolab.usd.de/security-advisories/usd-2021-0033/
- https://bugzilla.redhat.com/show_bug.cgi?id=2073157Issue TrackingVendor Advisory
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725Third Party Advisory
- https://herolab.usd.de/security-advisories/usd-2021-0033/
FAQ
What is CVE-2022-1274?
CVE-2022-1274 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other a...
How severe is CVE-2022-1274?
CVE-2022-1274 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1274?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Openshift Container Platform, Redhat Enterprise Linux For Ibm Z Systems.