GoogleOSV:GHSA-MPWQ-J3XF-7M5WThe redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
7 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
42.7%
An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts.
The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives “www%2ekeycloak%2eorg%2fapp%2f:[email protected]” and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input.
Acknowledgements
Karel Knibbe
References
access.redhat.com/errata/RHSA-2023:7854
access.redhat.com/errata/RHSA-2023:7855
access.redhat.com/errata/RHSA-2023:7856
access.redhat.com/errata/RHSA-2023:7857
access.redhat.com/errata/RHSA-2023:7858
access.redhat.com/errata/RHSA-2023:7860
access.redhat.com/errata/RHSA-2023:7861
access.redhat.com/security/cve/CVE-2023-6291
bugzilla.redhat.com/show_bug.cgi?id=2251407
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/b2e91105315ccf2c1df549b4f6c5948322cbfd1b
github.com/keycloak/keycloak/security/advisories/GHSA-mpwq-j3xf-7m5w
nvd.nist.gov/vuln/detail/CVE-2023-6291
Related
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
7 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
42.7%