CVE-2022-3782

Vulnerability

Overview

CVE-2022-3782 is a path traversal vulnerability in Keycloak caused by improper validation of redirect URIs. The flaw occurs when Keycloak does not correctly decode URLs that have been double URL-encoded (e.g., %252E%252E representing ../ after two decoding passes). This allows an attacker to bypass the intended URI validation and redirect users to arbitrary paths within the same domain [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious redirect URI that uses double encoding to represent path traversal sequences. The attack requires that the targeted Keycloak client has a wildcard (*) configured in the "Valid Redirect URIs" field. The attacker must also be able to lure a victim into clicking a crafted link or initiate an OAuth flow with the malicious redirect URI [2]. The vulnerability is demonstrated in the test cases added in the fix commit, which show that double-encoded ../ sequences were incorrectly accepted before the patch [3].

Impact

Successful exploitation allows an attacker to perform path traversal, accessing other URLs within the same domain that were not intended to be reachable via redirects. This could lead to disclosure of sensitive information, such as internal endpoints or authentication tokens, and potentially enable further attacks like open redirect or cross-site scripting (XSS) if combined with other weaknesses [1][2].

Mitigation

The vulnerability has been addressed in Keycloak releases 20.0.3 and 21.0.0, where the redirect URI validation now correctly handles multiple layers of URL encoding [3]. Users should update to these or later versions. For clients that cannot upgrade immediately, administrators should review and restrict the use of wildcard redirect URIs as a precautionary measure [1].