Lucene search

Veracode Vulnerability DatabaseVERACODE:46496

HistoryApr 18, 2024 - 5:23 a.m.

Path Traversal

2024-04-1805:23:34

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

path traversal

keycloak

services

vulnerability

host bypass

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS

Percentile

15.5%

JSON

org.keycloak:keycloak-services is vulnerable to Path traversal. The vulnerability is due to a flaw in the redirect_uri validation logic that may allow bypassing otherwise explicitly allowed hosts.

References

access.redhat.com/errata/RHSA-2024:1867

access.redhat.com/security/cve/CVE-2024-2419

bugzilla.redhat.com/show_bug.cgi?id=2269371

github.com/advisories/GHSA-mrv8-pqfj-7gp5

github.com/keycloak/keycloak/commit/e310604cf61561a81d53529c8b59e4177d81c736