Bypass of Redirect URI Validation in Keycloak May Lead to Access Token Theft
CVE-2024-2419
7.1HIGH
Key Information
- Vendor
- Red Hat
- Status
- Upstream
- Red Hat Build Of Keycloak 22
- Vendor
- CVE Published:
- 17 April 2024
Summary
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Risk change from: null to: 7.1 - (HIGH)
Vulnerability published.
Vulnerability Reserved.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database
Credit
Red Hat would like to thank Taha Marzak for reporting this issue.