Lucene search

GitHub Advisory DatabaseGHSA-3P75-Q5CC-QMJ7

HistoryDec 19, 2023 - 12:30 a.m.

Keycloak Open Redirect vulnerability

2023-12-1900:30:21

CWE-601

GitHub Advisory Database

github.com

keycloak

open redirect

vulnerability

authorization codes

tokens

security patch

cve-2023-6134

jarm response mode

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.7%

JSON

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode “form_post.jwt” which could be used to bypass the security patch implemented to address CVE-2023-6134.

Affected configurations

Vulners

Node

org.keycloak\keycloakMatchparent

CPENameOperatorVersion
org.keycloak:keycloak-parentle23.0.3

CPE	Name	Operator	Version
	org.keycloak:keycloak-parent	le	23.0.3

References

access.redhat.com/errata/RHSA-2024:0094

access.redhat.com/errata/RHSA-2024:0095

access.redhat.com/errata/RHSA-2024:0096

access.redhat.com/errata/RHSA-2024:0097

access.redhat.com/errata/RHSA-2024:0098

access.redhat.com/errata/RHSA-2024:0100

access.redhat.com/errata/RHSA-2024:0101

access.redhat.com/security/cve/CVE-2023-6927

bugzilla.redhat.com/show_bug.cgi?id=2255027

github.com/advisories/GHSA-3p75-q5cc-qmj7

nvd.nist.gov/vuln/detail/CVE-2023-6927

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.7%

JSON

Related for GHSA-3P75-Q5CC-QMJ7