labsai/EDDI

quarkus-keycloak-authorization-2.14.1.Final.jar: 1 vulnerabilities (highest severity is: 5.4) - autoclosed

mend-bolt-for-github opened this issue · 1 comments

mend-bolt-for-github commented
Vulnerable Library - quarkus-keycloak-authorization-2.14.1.Final.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-core/19.0.3/keycloak-core-19.0.3.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (quarkus-keycloak-authorization version) Remediation Available
WS-2022-0408 Medium 5.4 keycloak-core-19.0.3.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

WS-2022-0408

Vulnerable Library - keycloak-core-19.0.3.jar

Library home page: http://keycloak.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-core/19.0.3/keycloak-core-19.0.3.jar

Dependency Hierarchy:

  • quarkus-keycloak-authorization-2.14.1.Final.jar (Root Library)
    • keycloak-core-19.0.3.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.

Publish Date: 2022-11-30

URL: WS-2022-0408

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-755v-r4x4-qf7m

Release Date: 2022-11-30

Fix Resolution: org.keycloak:keycloak-core:20.0.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.