CVE-2022-4361: 
Java vulnerability analysis and mitigation

Keycloak, an open-source identity and access management solution, was found to have a cross-site scripting (XSS) vulnerability (CVE-2022-4361) in its SAML or OIDC providers. The vulnerability was discovered in December 2022 and could allow an attacker to execute malicious scripts by manipulating the AssertionConsumerServiceURL value or the redirecturi parameter (CVE Details, [Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=2151618)).

The vulnerability stems from insufficient validation of URI schemes in the SAML and OIDC providers. The issue specifically relates to the validation of redirect URIs, where the system previously allowed potentially malicious URI schemes through lax validation. The vulnerability affects the redirect URI validation mechanism, particularly when processing the AssertionConsumerServiceURL value in SAML or the redirect_uri parameter in OIDC implementations (GitHub Commit).

If exploited, this vulnerability could allow attackers to execute malicious scripts in the context of the user's browser session. This could potentially lead to session hijacking, data theft, or other malicious actions performed in the context of the authenticated user's session (Red Hat Bugzilla).

The issue has been addressed through enhanced URI scheme validation. For applications using non-http(s) custom schemes, the validation now requires that a valid redirect pattern explicitly allows that scheme. For example, patterns like 'custom:/test', 'custom:/test/' or 'custom:' are required for allowing the 'custom' scheme. For security reasons, a general pattern like '*' no longer covers non-http(s) schemes (GitHub Commit).