Lucene search

K
githubGitHub Advisory DatabaseGHSA-3P75-Q5CC-QMJ7
HistoryDec 19, 2023 - 12:30 a.m.

Keycloak Open Redirect vulnerability

2023-12-1900:30:21
CWE-601
GitHub Advisory Database
github.com
29
keycloak
open redirect
vulnerability
authorization codes
tokens
security patch
cve-2023-6134
jarm response mode

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.7%

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode β€œform_post.jwt” which could be used to bypass the security patch implemented to address CVE-2023-6134.

Affected configurations

Vulners
Node
org.keycloak\keycloakMatchparent
CPENameOperatorVersion
org.keycloak:keycloak-parentle23.0.3

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.7%