Redhat Migration Toolkit For Applications vulnerabilities

CVE-2024-1132 [HIGH] CWE-22 CVE-2024-1132: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URI

CVE-2023-6291 [HIGH] CWE-601 CVE-2023-6291: A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2022-4492 [HIGH] CWE-918 CVE-2022-4492: The undertow client is not checking the server identity presented by the server certificate in https The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.