Lucene search

K

GoogleOSV:CVE-2023-6291

HistoryJan 26, 2024 - 3:15 p.m.

CVE-2023-6291

2024-01-2615:15:08

Google

osv.dev

12

keycloak

redirect_uri

validation

access token

impersonation

security flaw

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

42.6%

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

References

access.redhat.com/errata/RHSA-2023:7854

access.redhat.com/errata/RHSA-2023:7855

access.redhat.com/errata/RHSA-2023:7856

access.redhat.com/errata/RHSA-2023:7857

access.redhat.com/errata/RHSA-2023:7858

access.redhat.com/errata/RHSA-2023:7860

access.redhat.com/errata/RHSA-2023:7861

access.redhat.com/errata/RHSA-2024:0798

access.redhat.com/errata/RHSA-2024:0799

access.redhat.com/errata/RHSA-2024:0800

access.redhat.com/errata/RHSA-2024:0801

access.redhat.com/errata/RHSA-2024:0804

access.redhat.com/security/cve/CVE-2023-6291

bugzilla.redhat.com/show_bug.cgi?id=2251407

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

42.6%

Related for OSV:CVE-2023-6291

veracode1 github1 nvd2 cve2 prion1 cvelist2 osv1 redhatcve2 redhat12 nessus6