Keycloak: redirect_uri validation bypass
CVE-2023-6291

7.1HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Keycloak 22
Red Hat Build Of Keycloak 22.0.7
Red Hat Single Sign-on 7
Red Hat Single Sign-on 7.6 For Rhel 7
Vendor
CVE Published:
26 January 2024

Summary

A flaw has been identified in the redirect_uri validation logic within Keycloak, a product developed by Red Hat. This vulnerability could potentially allow attackers to bypass explicitly allowed hosts, leading to unauthorized access. If exploited, it may enable the theft of access tokens, thereby allowing attackers to impersonate legitimate users and compromise sensitive data. Organizations using Keycloak should ensure they are aware of this issue and implement appropriate security measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

Red Hat build of Keycloak 22 22.0.7-1

Red Hat build of Keycloak 22 22-6

Red Hat build of Keycloak 22 22-9

References

https://access.redhat.com/errata/RHSA-2023:7854
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7855
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7856
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.