A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
[
{
"vendor": "n/a",
"product": "keycloak",
"versions": [
{
"version": "keycloak 13.0.0",
"status": "affected"
}
]
}
]