CVE-2024-1132
published 2024-04-17CVE-2024-1132: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious…
high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | jboss_middleware_text-only_advisories | — | — |
| redhat | keycloak | >= 21.1.0 < 22.0.10 | 22.0.10 |
| redhat | keycloak | >= 23.0.0 < 24.0.3 | 24.0.3 |
| redhat | migration_toolkit_for_applications | — | — |
| redhat | openshift_container_platform | — | — |
| redhat | openshift_container_platform | — | — |
| redhat | openshift_container_platform_for_ibm_z | — | — |
| redhat | openshift_container_platform_for_ibm_z | — | — |
| redhat | openshift_container_platform_for_linuxone | — | — |
| redhat | openshift_container_platform_for_linuxone | — | — |
| redhat | openshift_container_platform_for_power | — | — |
| redhat | openshift_container_platform_for_power | — | — |
| redhat | single_sign-on | — | — |