Описание
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
Отчет
Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Quarkus | keycloak | Affected | ||
| Red Hat Data Grid 8 | org.wildfly.security-wildfly-elytron-parent | Not affected | ||
| Red Hat Fuse 7 | keycloak | Fix deferred | ||
| Red Hat JBoss Data Grid 7 | keycloak | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | keycloak | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | keycloak-core | Not affected | ||
| AMQ Broker 7.10.3 | keycloak | Fixed | RHSA-2023:3185 | 17.05.2023 |
| AMQ Broker 7.11.0 | keycloak | Fixed | RHSA-2023:1661 | 05.04.2023 |
| Migration Toolkit for Runtimes 1 on RHEL 8 | org.keycloak-keycloak-parent | Fixed | RHSA-2023:1285 | 16.03.2023 |
| MTA-6.1-RHEL-8 | mta/mta-windup-addon-rhel8 | Fixed | RHSA-2023:2041 | 27.04.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
keycloak: path traversal via double URL encoding. A flaw was found in ...
Keycloak vulnerable to path traversal via double URL encoding
EPSS
8.1 High
CVSS3