Keycloak SMTP Injection Vulnerability

A vulnerability in Keycloak services allows for SMTP injection via crafted email addresses containing special characters. This injection can trigger the Keycloak server to send unsolicited short emails, limited to 64 characters due to email local part restrictions. While the immediate effect is the delivery of an unwanted email, this behavior could potentially be exploited as a stepping stone for more complex attacks.

Impact

Exploitation of this vulnerability results in the injection of SMTP data, causing the Keycloak server to send unsolicited emails. This could be used to facilitate more sophisticated attacks.

Reproduction

To reproduce this vulnerability, register an email address using Keycloak that includes special UTF-8 characters. These characters can be crafted to exploit the email injection vulnerability by manipulating the email's byte values. Once the injection is successful, the server will send an unsolicited email to the injected address.