logo

Database

Lack of data validation In org.keycloak:keycloak-services

Description

Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-61342. NVD-2023-61343. OSV-2023-61344. GHSA-cvg2-7c3j-g36j5. GCVE-2023-61346. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. ACCESS-CVE-2023-6134

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j2. https://github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd203. https://bugzilla.redhat.com/show_bug.cgi?id=2249673

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.