Описание
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- Issue TrackingVendor Advisory
- ExploitThird Party AdvisoryVDB Entry
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 12.0.2 (исключая)
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
EPSS
Процентиль: 100%
0.92282
Критический
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
CWE-918
CWE-918
Связанные уязвимости
CVSS3: 5.8
redhat
около 5 лет назад
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
CVSS3: 5.3
debian
около 5 лет назад
A flaw was found in Keycloak before 13.0.0, where it is possible to fo ...
CVSS3: 5.3
github
больше 3 лет назад
Keycloak vulnerable to Server-Side Request Forgery
EPSS
Процентиль: 100%
0.92282
Критический
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
CWE-918
CWE-918