Keycloak Flaw Allows Attackers to Bypass Validation and Access Sensitive Information
CVE-2024-1132

8.1HIGH

Key Information:

Vendor: Red Hat
Status: Migration Toolkit For Runtimes 1 On Rhel 8; Mta-6.2-rhel-9; Red Hat Build Of Keycloak 22; Red Hat Build Of Keycloak 22.0.10
Vendor: CVE Published:; 17 April 2024

Summary

A security vulnerability has been identified in Keycloak, where improper URL validation in redirects could enable an attacker to exploit this flaw. This issue particularly affects clients that utilize wildcards in the Valid Redirect URIs field, which could allow malicious requests to bypass intended restrictions. As a result, sensitive information may be accessed without authorization, potentially leading to further attacks. User interaction is necessary to trigger this vulnerability, making it essential for users and administrators to be informed about securing their implementations of Keycloak.

Affected Version(s)

Migration Toolkit for Runtimes 1 on RHEL 8 1.2-23

Migration Toolkit for Runtimes 1 on RHEL 8 1.2-15

Migration Toolkit for Runtimes 1 on RHEL 8 1.2-16

References

https://access.redhat.com/errata/RHSA-2024:1860

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:1861

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:1862

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 17, 2024
Vulnerability Reserved
Jan 31, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Axel Flamcourt for reporting this issue.