Lucene search

GitHub Advisory DatabaseGHSA-3P75-Q5CC-QMJ7

HistoryDec 19, 2023 - 12:30 a.m.

Keycloak Open Redirect vulnerability

2023-12-1900:30:21

CWE-601

GitHub Advisory Database

github.com

keycloak

open redirect

vulnerability

authorization codes

tokens

security patch

cve-2023-6134

jarm response mode

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

51.4%

JSON

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode “form_post.jwt” which could be used to bypass the security patch implemented to address CVE-2023-6134.

Affected configurations

Vulners

Node

org.keycloakkeycloak-parentRange≤23.0.3

VendorProductVersionCPE
org.keycloakkeycloak-parent*cpe:2.3:a:org.keycloak:keycloak-parent:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.keycloak	keycloak-parent	*	cpe:2.3:a:org.keycloak:keycloak-parent::::::::

References

access.redhat.com/errata/RHSA-2024:0094

access.redhat.com/errata/RHSA-2024:0095

access.redhat.com/errata/RHSA-2024:0096

access.redhat.com/errata/RHSA-2024:0097

access.redhat.com/errata/RHSA-2024:0098

access.redhat.com/errata/RHSA-2024:0100

access.redhat.com/errata/RHSA-2024:0101

access.redhat.com/security/cve/CVE-2023-6927

bugzilla.redhat.com/show_bug.cgi?id=2255027

github.com/advisories/GHSA-3p75-q5cc-qmj7

nvd.nist.gov/vuln/detail/CVE-2023-6927

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

51.4%

JSON

Related for GHSA-3P75-Q5CC-QMJ7