Lucene search

K

GoogleOSV:CVE-2023-6291

HistoryJan 26, 2024 - 3:15 p.m.

CVE-2023-6291

2024-01-2615:15:08

Google

osv.dev

11

keycloak

redirect_uri

validation

access token

impersonation

security flaw

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.7%

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

References

access.redhat.com/errata/RHSA-2023:7854

access.redhat.com/errata/RHSA-2023:7855

access.redhat.com/errata/RHSA-2023:7856

access.redhat.com/errata/RHSA-2023:7857

access.redhat.com/errata/RHSA-2023:7858

access.redhat.com/errata/RHSA-2023:7860

access.redhat.com/errata/RHSA-2023:7861

access.redhat.com/errata/RHSA-2024:0798

access.redhat.com/errata/RHSA-2024:0799

access.redhat.com/errata/RHSA-2024:0800

access.redhat.com/errata/RHSA-2024:0801

access.redhat.com/errata/RHSA-2024:0804

access.redhat.com/security/cve/CVE-2023-6291

bugzilla.redhat.com/show_bug.cgi?id=2251407

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.7%

Related for OSV:CVE-2023-6291

nvd2 veracode1 github1 cve2 prion1 redhatcve2 osv1 cvelist2 redhat12 nessus6