{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2237", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2025-02-24T19:15:29.345Z", "dateReserved": "2022-06-28T00:00:00.000Z", "datePublished": "2023-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-03-27T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function."}], "affected": [{"vendor": "n/a", "product": "Keycloak", "versions": [{"version": "unknown", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-601", "cweId": "CWE-601"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.552Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-24T19:14:56.710280Z", "id": "CVE-2022-2237", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-24T19:15:29.345Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.552Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-2237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-24T19:14:56.710280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-24T19:15:21.877Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "Keycloak", "versions": [{"status": "affected", "version": "unknown"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-03-27T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-2237", "state": "PUBLISHED", "dateUpdated": "2025-02-24T19:15:29.345Z", "dateReserved": "2022-06-28T00:00:00.000Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-03-27T00:00:00.000Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak_node.js_adapter:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7F0D638-83CE-4F73-B98E-87A36A73F1C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function."}], "id": "CVE-2022-2237", "lastModified": "2025-02-24T20:15:31.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-27T22:15:11.817", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ayta\u00e7 Kal\u0131nc\u0131 (NETA\u015e PENTEST TEAM), Ilker Bulgurcu (NETA\u015e PENTEST TEAM), and Yasin Y\u0131lmaz (NETA\u015e PENTEST TEAM) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:1049", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6", "product_name": "Red Hat Single Sign-On 7.0", "release_date": "2023-03-01T00:00:00Z"}], "bugzilla": {"description": "Adapter: Open redirect vulnerability in checkSSO", "id": "2097007", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-601", "details": ["A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.", "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function."], "name": "CVE-2022-2237", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-core", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "keycloak-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-core", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "keycloak-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "keycloak-js-adapter", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak-adapter-core", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak-core", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2023-03-01T13:57:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2237\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2237"], "statement": "CodeReady Studio is no longer supported. Therefore, this flaw will not be addressed in CodeReady Studio. Please see https://developers.redhat.com/articles/2022/04/18/announcement-red-hat-codeready-studio-reaches-end-life for more information.", "threat_severity": "Moderate"}