CVE-2022-3782 - Keycloak Path Traversal Vulnerability via Double URL Encoding Exploited

A newly discovered vulnerability, CVE-2022-3782, affects the popular open-source Keycloak identity and access management solution, allowing for a potential path traversal attack via double URL encoding. This post will dive deep into the details of this vulnerability, discussing the code snippet exhibiting the issue, links to original references, and providing a clear explanation of the exploit.

Vulnerability Details

The vulnerability occurs due to improper validation of URLs in the redirect process. An attacker can exploit this flaw to craft a malicious request that bypasses validation, accesses sensitive URLs within the domain, and potentially conducts further attacks. This security flaw affects Keycloak clients that use a wildcard (*) in the Valid Redirect URIs field.

Code Snippet

The issue in the Keycloak source code resides within the following line, where the redirect_uri parameter is not properly validated before redirecting:

if (URIParser.verifyRedirectUri(redirectUri, validRedirects, clientRootUrl)) {
    return redirectUri;
} else {
    return null;
}

Exploit Explanation

To understand the exploit better, let's look at an example. Assume a Keycloak client uses a wildcard in the Valid Redirect URIs field, like this:

https://www.example.com/*

An attacker can exploit this configuration by constructing a malicious URL. This URL can use double encoding to bypass the verification process:

https://auth-server/realms/realm-name/protocol/openid-connect/auth?client_id=client-id&redirect_uri=https%3a%2f%2fwww.example.com%2f%252E%252E%2fmalicious

The redirect URI mentioned in the above URL is double-encoded: %252E%252E decodes to %2E%2E (..) and eventually to .. after final decoding. This double-encoded URL can bypass the Keycloak verification process, misleading the server into redirecting the user to an unintended (and potentially malicious) URL, leading to possible information disclosure or further attacks.

Mitigation

Users are advised to update their Keycloak instances to the latest version, which addresses the CVE-2022-3782 vulnerability. Also, avoid using wildcards in the Valid Redirect URIs field and use precise and specific redirect URLs when configuring Keycloak clients.

Here are some references to further investigate the Keycloak path traversal vulnerability

1. Keycloak GitHub Repository: https://github.com/keycloak/keycloak
2. Keycloak Advisory: https://www.keycloak.org/security-advisory/keycloak-path-traversal-via-double-url-encoding
3. NVD (National Vulnerability Database): https://nvd.nist.gov/vuln/detail/CVE-2022-3782

Conclusion

CVE-2022-3782 is a critical path traversal vulnerability in Keycloak that can be exploited via double URL encoding. Affected users should update their Keycloak instances to the latest version and follow recommended security practices, such as avoiding wildcards in the Valid Redirect URIs field.

Timeline

Published on: 01/13/2023 06:15:00 UTC
Last modified on: 01/25/2023 20:38:00 UTC