logo

Database

Lack of data validation In org.keycloak:keycloak-services

Description

Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cvg2-7c3j-g36j. This link is maintained to preserve external references.

Original Description

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2023-61342. GCVE-GHSA-5968-qw33-h47j3. access.redhat.com4. access.redhat.com5. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. ACCESS-CVE-2023-6134

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=2249673

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.