Description

Unsanitized user input values that can contain special characters can be saved as the Realm ID and name. This can be done through the Keycloak admin console UI or though the Keycloak Admin REST API.

Version

>= 23.0.4

Impact

Unexpected behavior that affects the realm functionality and their related components.

Recommendations

• Database ID field should be a randomly generated uuid and not a user controlled input value
• A unified sanitization and validation strategy should be implemented on all user input values to ensure only valid values are accepted and saved.

References

• https://issues.redhat.com/browse/RHSSO-2689
• https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html