CVE-2023-6717 identifies a Cross-Site Scripting (XSS) vulnerability in Keycloak's SAML client registration process. Specifically, the flaw arises from improper neutralization of input during web page generation, where an attacker with administrative privileges or client registration access can register malicious JavaScript URIs as Assertion Consumer Service (ACS) POST Binding URLs. These URLs are used during SAML authentication flows to receive assertions. By injecting JavaScript into these URLs, the attacker can cause arbitrary script execution in the context of other realms or applications within the same Keycloak instance when users submit forms. This cross-realm impact is particularly dangerous because it breaks the isolation between tenants or applications managed by Keycloak. The vulnerability affects versions up to and including 24.0.0. Exploitation requires high privileges (administrator or client with registration rights) and user interaction (form submission). The CVSS 3.1 score is 6.0 (medium severity), reflecting network attack vector, high complexity, required privileges, and user interaction. The impact includes potential unauthorized access, session hijacking, data theft, and disruption of authentication services, compromising confidentiality, integrity, and availability of the Keycloak instance. No public exploits are currently known, but the vulnerability is significant due to Keycloak's widespread use as an open-source identity and access management solution. The issue was published on April 25, 2024, and is recognized by CISA and Red Hat. No official patches or mitigations are linked in the provided data, indicating the need for immediate attention by administrators.

For European organizations, this vulnerability poses a significant risk especially for those relying on Keycloak for centralized identity and access management across multiple applications or realms. Successful exploitation could allow a malicious insider or compromised client to execute arbitrary JavaScript in other tenants' contexts, potentially leading to credential theft, session hijacking, unauthorized access to sensitive data, and disruption of authentication workflows. This could affect sectors with stringent data protection requirements such as finance, healthcare, government, and critical infrastructure. The cross-realm nature of the attack increases the blast radius, making multi-tenant environments particularly vulnerable. Additionally, compromised Keycloak instances could undermine trust in federated identity systems and complicate compliance with GDPR and other privacy regulations. The medium CVSS score suggests moderate urgency, but the potential for privilege escalation and lateral movement within organizations elevates the operational risk.

European organizations should immediately audit their Keycloak deployments to identify versions up to 24.0.0 and prioritize upgrading to patched versions once available. Until patches are released, restrict client registration permissions strictly to trusted administrators and minimize the number of users with such privileges. Implement strict input validation and sanitization on all client registration inputs, especially URLs used in SAML configurations. Monitor Keycloak logs for unusual client registrations or modifications to ACS URLs. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious JavaScript payloads in URLs. Conduct regular security reviews of multi-realm configurations to ensure isolation is maintained. Educate administrators about the risks of registering untrusted URLs and enforce multi-factor authentication for all privileged accounts. Finally, consider isolating critical realms or applications in separate Keycloak instances to reduce cross-realm attack surfaces.