CVE-2024-8883

Oct. 1, 2024, 1:15 p.m.

6.1
Medium

Description

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Product(s) Impacted

Vendor Product Versions
Redhat
  • Build Of Keycloak
  • Openshift Container Platform
  • Openshift Container Platform For Ibm Z
  • Openshift Container Platform For Linuxone
  • Openshift Container Platform For Power
  • Single Sign-on
  • -
  • 4.11, 4.12
  • 4.9, 4.10
  • 4.9, 4.10
  • 4.9, 4.10
  • -, 7.6

Weaknesses

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a redhat build_of_keycloak - / / / text-only / / /
a redhat openshift_container_platform 4.11 / / / / / / /
a redhat openshift_container_platform 4.12 / / / / / / /
a redhat openshift_container_platform_for_ibm_z 4.9 / / / / / / /
a redhat openshift_container_platform_for_ibm_z 4.10 / / / / / / /
a redhat openshift_container_platform_for_linuxone 4.9 / / / / / / /
a redhat openshift_container_platform_for_linuxone 4.10 / / / / / / /
a redhat openshift_container_platform_for_power 4.9 / / / / / / /
a redhat openshift_container_platform_for_power 4.10 / / / / / / /
a redhat single_sign-on - / / / text-only / / /
a redhat single_sign-on 7.6 / / / / / / /

References

https://access.redhat.com/errata/RHSA-2024:6878
https://access.redhat.com/errata/RHSA-2024:6879
https://access.redhat.com/errata/RHSA-2024:6880
https://access.redhat.com/errata/RHSA-2024:6882
https://access.redhat.com/errata/RHSA-2024:6886
https://access.redhat.com/errata/RHSA-2024:6887
https://access.redhat.com/errata/RHSA-2024:6888
https://access.redhat.com/errata/RHSA-2024:6889
https://access.redhat.com/errata/RHSA-2024:6890
https://access.redhat.com/security/cve/CVE-2024-8883
https://bugzilla.redhat.com/show_bug.cgi?id=2312511
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java

Tags

secalert@redhat.com
CWE-601
2024-09-19
CVE-2024-8883

CVSS Score

6.1 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Date

  • Published: Sept. 19, 2024, 4:15 p.m.
  • Last Modified: Oct. 1, 2024, 1:15 p.m.

Status : Modified

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secalert@redhat.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.