Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-8883

CWE-601Open Redirect7 documents7 sources
Severity
6.1MEDIUM
EPSS
5.1%
top 10.16%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
Redhat Openshift Container PlatformRedhat Openshift Container Platform FOR IBM ZRedhat Openshift Container Platform FOR Linuxone+2 more
Timeline
PublishedSep 19
Latest updateOct 14

Description

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

Mavenorg.keycloak:keycloak-services23.0.024.0.8+2

Also affects: Openshift Container Platform 4.11, 4.12, 4.10, 4.9

🔴Vulnerability Details

4
GHSA
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect2024-10-14
OSV
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect2024-10-14
CVEList
Keycloak: vulnerable redirect uri validation results in open redirec2024-09-19
VulnCheck
Red Hat build_of_keycloak URL Redirection to Untrusted Site ('Open Redirect')2024

💥Exploits & PoCs

1
Nuclei
Keycloak - Open Redirect

📋Vendor Advisories

1
Red Hat
Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec2024-09-19