CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
76.5%
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a ‘Valid Redirect URI’ is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | build_of_keycloak | - | cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:* |
redhat | openshift_container_platform | 4.11 | cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:* |
redhat | openshift_container_platform | 4.12 | cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:* |
redhat | openshift_container_platform_for_ibm_z | 4.9 | cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:* |
redhat | openshift_container_platform_for_ibm_z | 4.10 | cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:* |
redhat | openshift_container_platform_for_linuxone | 4.9 | cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:* |
redhat | openshift_container_platform_for_linuxone | 4.10 | cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:* |
redhat | openshift_container_platform_for_power | 4.9 | cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:* |
redhat | openshift_container_platform_for_power | 4.10 | cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:* |
redhat | single_sign-on | - | cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:* |
access.redhat.com/errata/RHSA-2024:6878
access.redhat.com/errata/RHSA-2024:6879
access.redhat.com/errata/RHSA-2024:6880
access.redhat.com/errata/RHSA-2024:6882
access.redhat.com/errata/RHSA-2024:6886
access.redhat.com/errata/RHSA-2024:6887
access.redhat.com/errata/RHSA-2024:6888
access.redhat.com/errata/RHSA-2024:6889
access.redhat.com/errata/RHSA-2024:6890
access.redhat.com/security/cve/CVE-2024-8883
bugzilla.redhat.com/show_bug.cgi?id=2312511
github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java