Описание
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
Меры по смягчению последствий
Trusted Hosts Policy could be used to mitigate this attack : https://www.keycloak.org/docs/latest/securing_apps/index.html#client-registration-policies
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | keycloak | Not affected | ||
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat OpenShift Application Runtimes | keycloak | Not affected | ||
| Red Hat Process Automation 7 | keycloak | Not affected | ||
| Red Hat support for Spring Boot | keycloak | Not affected | ||
| Red Hat Single Sign-On 7.4.3 | Fixed | RHSA-2020:4931 | 04.11.2020 | |
| Red Hat Single Sign-On 7.4 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2020:4929 | 04.11.2020 |
| Red Hat Single Sign-On 7.4 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2020:4930 | 04.11.2020 |
| Red Hat Single Sign-On 7.4 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2020:4932 | 04.11.2020 |
| Red Hat Single Sign-On 7.4 for RHEL 8 | rh-sso7-libunix-dbus-java | Fixed | RHSA-2020:4932 | 04.11.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak before version 12.0.0, where it is possib ...
EPSS
4 Medium
CVSS3