Keycloak Flaw Allows Attackers to Bypass Validation and Access Sensitive Information
CVE-2024-1132
8.1HIGH
Key Information
- Vendor
- Red Hat
- Status
- Migration Toolkit For Runtimes 1 On Rhel 8
- Mta-6.2-rhel-9
- Red Hat Build Of Keycloak 22
- Red Hat Build Of Keycloak 22.0.10
- Vendor
- CVE Published:
- 17 April 2024
Summary
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Affected Version(s)
Migration Toolkit for Runtimes 1 on RHEL 8 <= 1.2-23
Migration Toolkit for Runtimes 1 on RHEL 8 <= 1.2-15
Migration Toolkit for Runtimes 1 on RHEL 8 <= 1.2-16
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Risk change from: null to: 8.1 - (HIGH)
Vulnerability published.
Vulnerability Reserved.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database
Credit
Red Hat would like to thank Axel Flamcourt for reporting this issue.