logo

Database

Uncontrolled external site redirect In org.keycloak:keycloak-services

Description

Duplicate Advisory: Keycloak Open Redirect vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references.

Original Description

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2024-88832. GCVE-GHSA-vvf8-2h68-94753. ACCESS-CVE-2024-88834. access.redhat.com5. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com

References

1. https://github.com/keycloak/keycloak/releases/tag/25.0.62. https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java3. https://bugzilla.redhat.com/show_bug.cgi?id=2312511

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.