CVE-2024-8883

2024-09-1916:15:06

CWE-601

[email protected]

web.nvd.nist.gov

misconfiguration

keycloak

sensitive information

authorization codes

session hijacking

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.005

Percentile

76.5%

JSON

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a ‘Valid Redirect URI’ is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Affected configurations

Nvd

Node

redhatbuild_of_keycloakMatch-text-only

redhatopenshift_container_platformMatch4.11

redhatopenshift_container_platformMatch4.12

redhatopenshift_container_platform_for_ibm_zMatch4.9

redhatopenshift_container_platform_for_ibm_zMatch4.10

redhatopenshift_container_platform_for_linuxoneMatch4.9

redhatopenshift_container_platform_for_linuxoneMatch4.10

redhatopenshift_container_platform_for_powerMatch4.9

redhatopenshift_container_platform_for_powerMatch4.10

redhatsingle_sign-onMatch-text-only

redhatsingle_sign-onMatch7.6

VendorProductVersionCPE
redhatbuild_of_keycloak-cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
redhatopenshift_container_platform4.11cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
redhatopenshift_container_platform4.12cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_ibm_z4.9cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_ibm_z4.10cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_linuxone4.9cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_linuxone4.10cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_power4.9cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_power4.10cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*
redhatsingle_sign-on-cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

Vendor	Product	Version	CPE
redhat	build_of_keycloak	-	cpe:2.3:a:redhat:build_of_keycloak:-::::text-only:::
redhat	openshift_container_platform	4.11	cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
redhat	openshift_container_platform	4.12	cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*
redhat	openshift_container_platform_for_ibm_z	4.9	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:::::::*
redhat	openshift_container_platform_for_ibm_z	4.10	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:::::::*
redhat	openshift_container_platform_for_linuxone	4.9	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:::::::*
redhat	openshift_container_platform_for_linuxone	4.10	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:::::::*
redhat	openshift_container_platform_for_power	4.9	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
redhat	openshift_container_platform_for_power	4.10	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*
redhat	single_sign-on	-	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::