CVE-2022-2232

Keycloak: ldap injection on username input

Description

A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

Remediation

Workaround:

This flaw requires a misconfiguration of the "UUID LDAP Attribute" values. When they are set to the standard entryUUID, objectGUID or nsuniqueid Keycloak is not vulnerable.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2024:0094	vendor advisory
https://access.redhat.com/errata/RHSA-2024:0095	vendor advisory
https://access.redhat.com/errata/RHSA-2024:0096	vendor advisory
https://access.redhat.com/security/cve/CVE-2022-2232	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2096994	issue tracking

Frequently Asked Questions

What is the severity of CVE-2022-2232?: CVE-2022-2232 has been scored as a high severity vulnerability.
How to fix CVE-2022-2232?: As a workaround for remediating CVE-2022-2232: This flaw requires a misconfiguration of the "UUID LDAP Attribute" values. When they are set to the standard entryUUID, objectGUID or nsuniqueid Keycloak is not vulnerable.
Is CVE-2022-2232 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-2232 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-2232?: CVE-2022-2232 affects Red Hat Red Hat Single Sign-On 7, Red Hat Red Hat Single Sign-On 7, Red Hat Red Hat Single Sign-On 7, Red Hat Red Hat Single Sign-On 7.

Description

Remediation

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions