Описание
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | keycloak | Not affected | ||
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat OpenShift Application Runtimes | keycloak | Not affected | ||
| Red Hat Process Automation 7 | keycloak | Not affected | ||
| Red Hat support for Spring Boot | keycloak | Not affected | ||
| Red Hat Single Sign-On 7.4.5 | Fixed | RHSA-2021:0327 | 01.02.2021 | |
| Red Hat Single Sign-On 7.4 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2021:0318 | 01.02.2021 |
| Red Hat Single Sign-On 7.4 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2021:0319 | 01.02.2021 |
| Red Hat Single Sign-On 7.4 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2021:0320 | 01.02.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A flaw was found in Keycloak before 13.0.0, where it is possible to fo ...
Keycloak vulnerable to Server-Side Request Forgery
EPSS
5.8 Medium
CVSS3