Attackers can Redirect Users to Arbitrary URLs, Exposing Sensitive Information
CVE-2024-8883

6.1MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Keycloak
Red Hat Build Of Keycloak 22
Red Hat Build Of Keycloak 24
Red Hat Jboss Enterprise Application Platform 8
Vendor
CVE Published:
19 September 2024

Summary

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

References

https://access.redhat.com/errata/RHSA-2024:6878
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6879
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6880
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Karsten Meyer zu Selhausen and Niklas Conrad for reporting this issue.
.