Lucene search
RedhatCVE-2024-1132HistoryApr 17, 2024 - 2:15 p.m.
CVE-2024-1132
2024-04-1714:15:07
CWE-22
redhat
web.nvd.nist.gov
166
keycloak
url validation
attacker bypass
sensitive information
client security
CVSS3
8.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
5.7
Confidence
Low
EPSS
0.001
Percentile
17.0%
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
CNA Affected
[
{
"versions": [
{
"status": "affected",
"version": "21.1.0",
"lessThan": "22.0.10",
"versionType": "semver"
},
{
"status": "affected",
"version": "23.0.0",
"lessThan": "24.0.3",
"versionType": "semver"
}
],
"packageName": "keycloak",
"collectionURL": "https://github.com/keycloak/keycloak",
"defaultStatus": "unaffected"
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-23",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-15",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-web-container-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-16",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-web-executor-container-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-14",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "MTA-6.2-RHEL-9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mta/mta-windup-addon-rhel9",
"defaultStatus": "affected",
"versions": [
{
"version": "6.2.3-2",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:6.2::el9",
"cpe:/a:redhat:migration_toolkit_applications:6.2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "22.0.10-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-rhel9",
"defaultStatus": "affected",
"versions": [
{
"version": "22-13",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-rhel9-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "22-16",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22.0.10",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:build_keycloak:22"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss AMQ Broker 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:amq_broker:7.10"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss AMQ Broker 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:amq_broker:7.11"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss AMQ Broker 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:amq_broker:7.12"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "affected",
"versions": [
{
"version": "0:18.0.13-1.redhat_00001.1.el7sso",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "affected",
"versions": [
{
"version": "0:18.0.13-1.redhat_00001.1.el8sso",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "affected",
"versions": [
{
"version": "0:18.0.13-1.redhat_00001.1.el9sso",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rh-sso-7/sso76-openshift-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "7.6-46",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHSSO 7.6.8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apicurio Registry",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:service_registry:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "org.keycloak/keycloak-core",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:quarkus:3"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Data Grid 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "org.wildfly.security-wildfly-elytron-parent",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Decision Manager 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_brms_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Grid 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
]
}
]References
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/errata/RHSA-2024:2945
access.redhat.com/errata/RHSA-2024:3752
access.redhat.com/errata/RHSA-2024:3762
access.redhat.com/errata/RHSA-2024:3919
access.redhat.com/errata/RHSA-2024:3989
access.redhat.com/security/cve/CVE-2024-1132
bugzilla.redhat.com/show_bug.cgi?id=2262117
Related
nvd
nvd
CVE-2024-1132
2024-04-17 14:15:07
cgr
cgr
CVE-2024-1132 vulnerabilities
2024-05-19 03:07:16
redhatcve
redhatcve
CVE-2024-1132
2024-04-17 13:02:33
cvelist
cvelist
CVE-2024-1132 Keycloak: path transversal in redirection validation
2024-04-17 13:21:19
vulnrichment
vulnrichment
CVE-2024-1132 Keycloak: path transversal in redirection validation
2024-04-17 13:21:19
github
github
Keycloak path traversal vulnerability in redirection validation
2024-04-17 18:25:08
osv
osv
CGA-wq9p-47vf-vg24
2024-06-06 12:26:31
Keycloak path traversal vulnerability in redirection validation
2024-04-17 18:25:08
CGA-qmcr-h79w-xf42
2024-06-06 12:26:19
veracode
veracode
Open Redirect
2024-04-18 04:12:09
wolfi
wolfi
CVE-2024-1132 vulnerabilities
2024-09-27 09:13:12
redhat
redhat
nessus
nessus
CVSS3
8.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
5.7
Confidence
Low
EPSS
0.001
Percentile
17.0%
Related for CVE-2024-1132