Keycloak CORS Header Injection Vulnerability in UMA Token Endpoint

A CORS header injection vulnerability has been identified in Keycloak's User-Managed Access (UMA) token endpoint. This vulnerability allows remote attackers to exploit unvalidated JSON Web Token (JWT) claims. Specifically, the 'azp' claim from a client-supplied JWT is used to set the 'Access-Control-Allow-Origin' header before the JWT signature is verified. As a result, an attacker can craft a JWT with a malicious 'azp' value that is reflected as the CORS origin, potentially exposing low-sensitivity information from authorization server error responses. This issue arises only when the target client is misconfigured to accept all origins and does not affect default Keycloak installations.

Impact

Exploitation of this vulnerability can lead to unauthorized cross-origin access, allowing attackers to read low-sensitivity information from the authorization server's error responses, thereby weakening the security of origin isolation.

Reproduction

To reproduce this vulnerability, a remote attacker must send a specially crafted JWT to Keycloak's UMA token endpoint. The JWT must include an 'azp' claim with an attacker-controlled value. When the JWT is processed, the 'azp' value is injected into the 'Access-Control-Allow-Origin' header, creating a CORS vulnerability. This exploitation requires the target client to be misconfigured with 'webOrigins: ["*"]'.