Описание
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Отчет
Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution, but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason, Quarkus is marked as having a Low impact.
Меры по смягчению последствий
No current mitigation is available for this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apicurio Registry 2 | keycloak | Affected | ||
| Red Hat build of Quarkus | org.keycloak/keycloak-core | Affected | ||
| Red Hat Data Grid 8 | org.wildfly.security-wildfly-elytron-parent | Not affected | ||
| Red Hat Decision Manager 7 | keycloak | Out of support scope | ||
| Red Hat Fuse 7 | keycloak | Fix deferred | ||
| Red Hat JBoss Data Grid 7 | keycloak | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | keycloak | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | keycloak-core | Not affected | ||
| Red Hat Process Automation 7 | keycloak | Affected | ||
| Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-operator-bundle | Fixed | RHSA-2024:3919 | 13.06.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
A flaw was found in Keycloak, where it does not properly validate URLs ...
Keycloak path traversal vulnerability in redirection validation
EPSS
8.1 High
CVSS3