GHSA-vvf8-2h68-9475

Опубликовано: 19 сент. 2024

Источник: github

Github: Прошло ревью

CVSS4: 7.7

CVSS3: 6.8

Описание

Duplicate Advisory: Keycloak Open Redirect vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references.

Original Description

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2024-8883
https://github.com/keycloak/keycloak/releases/tag/25.0.6
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
https://bugzilla.redhat.com/show_bug.cgi?id=2312511
https://access.redhat.com/security/cve/CVE-2024-8883
https://access.redhat.com/errata/RHSA-2024:8826
https://access.redhat.com/errata/RHSA-2024:8824
https://access.redhat.com/errata/RHSA-2024:8823
https://access.redhat.com/errata/RHSA-2024:6890
https://access.redhat.com/errata/RHSA-2024:6889
https://access.redhat.com/errata/RHSA-2024:6888
https://access.redhat.com/errata/RHSA-2024:6887
https://access.redhat.com/errata/RHSA-2024:6886
https://access.redhat.com/errata/RHSA-2024:6882
https://access.redhat.com/errata/RHSA-2024:6880
https://access.redhat.com/errata/RHSA-2024:6879
https://access.redhat.com/errata/RHSA-2024:6878
https://access.redhat.com/errata/RHSA-2024:10386
https://access.redhat.com/errata/RHSA-2024:10385

Пакеты

Наименование

org.keycloak:keycloak-services

maven

Затронутые версииВерсия исправления

< 25.0.6

25.0.6

7.7 High

CVSS4

6.8 Medium

CVSS3