logo

Database

Uncontrolled external site redirect In org.keycloak:keycloak-services

Description

Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-88832. NVD-2024-88833. OSV-2024-88834. GHSA-w8gr-xwp4-r9f75. GCVE-2024-88836. ACCESS-CVE-2024-88837. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com18. access.redhat.com19. access.redhat.com20. access.redhat.com

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-w8gr-xwp4-r9f72. https://github.com/keycloak/keycloak/releases/tag/25.0.63. https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java4. https://bugzilla.redhat.com/show_bug.cgi?id=23125115. https://vulncheck.com/cve/CVE-2024-88836. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8883.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.