GoogleOSV:GHSA-VVF8-2H68-9475Keycloak Open Redirect vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
76.5%
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a ‘Valid Redirect URI’ is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
References
access.redhat.com/errata/RHSA-2024:6878
access.redhat.com/errata/RHSA-2024:6879
access.redhat.com/errata/RHSA-2024:6880
access.redhat.com/errata/RHSA-2024:6882
access.redhat.com/errata/RHSA-2024:6886
access.redhat.com/errata/RHSA-2024:6887
access.redhat.com/errata/RHSA-2024:6888
access.redhat.com/errata/RHSA-2024:6889
access.redhat.com/errata/RHSA-2024:6890
access.redhat.com/security/cve/CVE-2024-8883
bugzilla.redhat.com/show_bug.cgi?id=2312511
github.com/keycloak/keycloak
github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
github.com/keycloak/keycloak/releases/tag/25.0.6
nvd.nist.gov/vuln/detail/CVE-2024-8883
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
76.5%