Keycloak clients-registrations XSS (CVE-2021-20323)
Description
Keycloak contains a cross-site scripting (XSS) vulnerability in the 'clients-registrations' endpoint that fails to properly sanitize user-supplied input before rendering it in responses. While this vulnerability requires a non-standard request with 'Content-Type: application/json' header to exploit (making it non-exploitable in default configurations), it can still be leveraged by attackers who can manipulate victims into submitting specially crafted requests to the vulnerable endpoint.
Remediation
Apply the following remediation steps:
1. Upgrade Keycloak to version 15.1.0 or later, which addresses CVE-2021-20323
2. Review and audit any custom client registration configurations for proper input validation
3. Implement Content Security Policy (CSP) headers to provide defense-in-depth against XSS attacks
4. Monitor application logs for suspicious requests to the '/clients-registrations' endpoint with JSON content types
5. If immediate patching is not possible, consider restricting access to the client registration endpoint through network controls or authentication requirements until the upgrade can be completed