CVE-2024-1132

🗓️ 17 Apr 2024 13:21:19Reported by redhatType

Keycloak does not validate URLs, enabling attacker to bypass validation and access sensitive information

Reporter	Title	Published	Views	Family All 45
ATTACKERKB	CVE-2024-1132	17 Apr 202414:15	–	attackerkb
Chainguard	CVE-2024-1132 vulnerabilities	17 Apr 202414:15	–	cgr
Circl	CVE-2024-1132	8 Jul 202505:16	–	circl
CNNVD	Red Hat Keycloak 路径遍历漏洞	17 Apr 202400:00	–	cnnvd
Cvelist	CVE-2024-1132 Keycloak: path transversal in redirection validation	17 Apr 202413:21	–	cvelist
EUVD	EUVD-2024-1134	3 Oct 202520:07	–	euvd
Github Security Blog	Keycloak path traversal vulnerability in redirection validation	17 Apr 202418:25	–	github
NVD	CVE-2024-1132	17 Apr 202414:15	–	nvd
OSV	CGA-JRC6-WQ82-HMR6	29 Jan 202600:49	–	osv
OSV	CGA-QMCR-H79W-XF42	6 Jun 202412:26	–	osv

NVD

Node

redhat build_of_keycloakMatch-text-only

redhat jboss_middleware_text-only_advisoriesMatch1.0middleware

redhat keycloakRange21.1.0–22.0.10

redhat keycloakRange23.0.0–24.0.3

redhat migration_toolkit_for_applicationsMatch1.0

redhat migration_toolkit_for_runtimesMatch-

redhat openshift_container_platformMatch4.11

redhat openshift_container_platformMatch4.12

redhat openshift_container_platform_for_ibm_zMatch4.9

redhat openshift_container_platform_for_ibm_zMatch4.10

redhat openshift_container_platform_for_linuxoneMatch4.9

redhat openshift_container_platform_for_linuxoneMatch4.10

redhat openshift_container_platform_for_powerMatch4.9

redhat openshift_container_platform_for_powerMatch4.10

redhat single_sign-onMatch-text-only

redhat single_sign-onMatch7.6

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "21.1.0",
        "lessThan": "22.0.10",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "23.0.0",
        "lessThan": "24.0.3",
        "versionType": "semver"
      }
    ],
    "packageName": "keycloak",
    "collectionURL": "https://github.com/keycloak/keycloak",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "mtr/mtr-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.2-23",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "mtr/mtr-rhel8-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.2-15",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "mtr/mtr-web-container-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.2-16",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "mtr/mtr-web-executor-container-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.2-14",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "MTA-6.2-RHEL-9",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "mta/mta-windup-addon-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "6.2.3-2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:migration_toolkit_applications:6.2::el8",
      "cpe:/a:redhat:migration_toolkit_applications:6.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat AMQ Broker 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:amq_broker:7.10"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat AMQ Broker 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "defaultStatus": "unaffected",
    "packageName": "keycloak",
    "cpes": [
      "cpe:/a:redhat:amq_broker:7.11"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat AMQ Broker 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:amq_broker:7.12"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 22",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "22.0.10-1",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:22::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 22",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "22-13",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:22::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 22",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "22-16",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:22::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 22.0.10",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "packageName": "keycloak",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:22"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:18.0.13-1.redhat_00001.1.el7sso",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:18.0.13-1.redhat_00001.1.el8sso",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:18.0.13-1.redhat_00001.1.el9sso",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "RHEL-8 based Middleware Containers",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rh-sso-7/sso76-openshift-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "7.6-46",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:rhosemc:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "RHSSO 7.6.8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "packageName": "rh-sso7-keycloak",
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Apicurio Registry 2",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:service_registry:2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "org.keycloak/keycloak-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:quarkus:2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "org.keycloak/keycloak-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:quarkus:3"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "org.wildfly.security-wildfly-elytron-parent",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Decision Manager 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Fuse 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_fuse:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Data Grid 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform 6",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "keycloak",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_application_platform:6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "keycloak-core",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_application_platform:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Process Automation 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2024:1862
access	www.access.redhat.com/errata/RHSA-2024:1866
access	www.access.redhat.com/errata/RHSA-2024:1868
access	www.access.redhat.com/errata/RHSA-2024:3762
access	www.access.redhat.com/security/cve/CVE-2024-1132
access	www.access.redhat.com/errata/RHSA-2024:1864
access	www.access.redhat.com/errata/RHSA-2024:2945
access	www.access.redhat.com/errata/RHSA-2024:3752
access	www.access.redhat.com/errata/RHSA-2024:3919
access	www.access.redhat.com/errata/RHSA-2024:1860

16 May 2026 23:26Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.18.1

EPSS0.00326

SSVC

CWE-22