Attackers can Redirect Users to Arbitrary URLs, Exposing Sensitive Information

CVE-2024-8883

6.1MEDIUM

Key Information

Vendor
Red Hat
Status
Red Hat Build Of Keycloak
Red Hat Build Of Keycloak 22
Red Hat Build Of Keycloak 24
Red Hat Jboss Enterprise Application Platform 8
Vendor
CVE Published:
19 September 2024

Summary

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.13-1

Red Hat build of Keycloak 22 <= 22-18

Red Hat build of Keycloak 22 <= 22-21

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Karsten Meyer zu Selhausen and Niklas Conrad for reporting this issue.
.