Attackers can Redirect Users to Arbitrary URLs, Exposing Sensitive Information

CVE-2024-8883

6.1MEDIUM

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Build Of Keycloak 22; Red Hat Build Of Keycloak 24; Red Hat Jboss Enterprise Application Platform 8
Vendor: CVE Published:; 19 September 2024

Summary

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.13-1

Red Hat build of Keycloak 22 <= 22-18

Red Hat build of Keycloak 22 <= 22-21

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: null to: 6.8 - (MEDIUM)
Sep 19, 2024
Vulnerability published.
Sep 19, 2024
Vulnerability Reserved.
Sep 16, 2024
Reported to Red Hat.
Sep 16, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Karsten Meyer zu Selhausen and Niklas Conrad for reporting this issue.