High severity7.5NVD Advisory· Published Nov 14, 2024· Updated Apr 15, 2026

CVE-2022-2232

Description

A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-ldap-federationMaven	< 23.0.1	23.0.1
org.keycloak:keycloak-servicesMaven	< 23.0.1	23.0.1

Patches

4252e394cf72

Escape ldap id when using normal attribute syntax (#25)

https://github.com/keycloak/keycloakRicardo MartinNov 7, 2023via ghsa

commit

3 files changed · +45 −2

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java+2 −1 modified

@@ -24,6 +24,7 @@
 import org.keycloak.models.ModelException;
 import org.keycloak.storage.ldap.LDAPConfig;
 import org.keycloak.storage.ldap.idm.model.LDAPDn;
+import org.keycloak.storage.ldap.idm.query.EscapeStrategy;
 import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
 import org.keycloak.storage.ldap.idm.store.ldap.extended.PasswordModifyRequest;
 import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;
@@ -386,7 +387,7 @@ public String getFilterById(String id) {
                 ).append(LDAPUtil.convertGUIDToEdirectoryHexString(id)).append(")");
         } else {
             filter.append("(objectClass=*)(").append(getUuidAttributeName()).append(LDAPConstants.EQUAL)
-                .append(id).append(")");
+                .append(EscapeStrategy.DEFAULT.escape(id)).append(")");
         }
 
         if (config.getCustomUserSearchFilter() != null) {

services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java+1 −1 modified

@@ -170,7 +170,7 @@ private UserModel getUser(AuthenticationFlowContext context, MultivaluedMap<Stri
 
     private UserModel getUserFromForm(AuthenticationFlowContext context, MultivaluedMap<String, String> inputData) {
         String username = inputData.getFirst(AuthenticationManager.FORM_USERNAME);
-        if (username == null) {
+        if (username == null || username.isEmpty()) {
             context.getEvent().error(Errors.USER_NOT_FOUND);
             Response challengeResponse = challenge(context, getDefaultChallengeMessage(context), FIELD_USERNAME);
             context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPSpecialCharsTest.java

+42 −0 modified

@@ -31,6 +31,7 @@
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.representations.idm.ComponentRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.storage.ldap.idm.model.LDAPObject;
 import org.keycloak.storage.ldap.mappers.membership.LDAPGroupMapperMode;
@@ -198,4 +199,45 @@ public void test03_specialCharUserJoiningSpecialCharGroup() {
         });
     }
 
+    @Test
+    public void test04_loginWithSpecialCharacterUsingSameUUIDThanUsernameAttribute() {
+        // remove users from the ldap to use the new UUID attribute
+        adminClient.realm(TEST_REALM_NAME).userStorage().removeImportedUsers(ldapModelId);
+
+        // change the UUID attribute to be the username attribute
+        String origUuidAttrName = testingClient.server().fetch(session -> {
+            LDAPTestContext ctx = LDAPTestContext.init(session);
+
+            String uidAttrName = ctx.getLdapProvider().getLdapIdentityStore().getConfig().getUsernameLdapAttribute();
+            String origUuidAttrNamee = ctx.getLdapModel().get(LDAPConstants.UUID_LDAP_ATTRIBUTE);
+            ctx.getLdapModel().put(LDAPConstants.UUID_LDAP_ATTRIBUTE, uidAttrName);
+            ctx.getRealm().updateComponent(ctx.getLdapModel());
+
+            return origUuidAttrNamee;
+        }, String.class);
+
+        try {
+            // assert the user is found and UUID is the name
+            List<UserRepresentation> users = adminClient.realm(TEST_REALM_NAME).users().search("jamees,key*cložak)ppp", true);
+            Assert.assertEquals("User not found", 1, users.size());
+            UserRepresentation jamees = users.iterator().next();
+            Assert.assertEquals("Incorrect user", "jamees,key*cložak)ppp", jamees.getUsername());
+            Assert.assertEquals("Incorrect UUID attribute", "jamees,key*cložak)ppp", jamees.firstAttribute(LDAPConstants.LDAP_ID));
+
+            // Fail login with wildcard
+            loginPage.open();
+            loginPage.login("jamees*", "Password1");
+            Assert.assertEquals("Invalid username or password.", loginPage.getInputError());
+
+            // Success login as username exactly match
+            loginPage.login("jamees,key*cložak)ppp", "Password1");
+            Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
+            Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
+        } finally {
+            // Revert config changes to be back to previous UUID attribute
+            ComponentRepresentation ldapRep = testRealm().components().component(ldapModelId).toRepresentation();
+            ldapRep.getConfig().putSingle(LDAPConstants.UUID_LDAP_ATTRIBUTE, origUuidAttrName);
+            testRealm().components().component(ldapModelId).update(ldapRep);
+        }
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000