Description

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

Remediation

References

https://access.redhat.com/errata/RHSA-2018:3592

https://access.redhat.com/errata/RHSA-2018:3593

https://access.redhat.com/errata/RHSA-2018:3595

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658

Related Vulnerabilities

CVE-2021-34797 Vulnerability in maven package org.apache.geode:geode-core

CVE-2023-50730 Vulnerability in maven package edu.gemini:gsp-graphql-core_sjs1_3

CVE-2018-1000665 Vulnerability in maven package org.webjars.bowergithub.dojo:dojo

CVE-2018-1000173 Vulnerability in maven package org.jenkins-ci.plugins:google-login

CVE-2023-37462 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-ui

Severity

High

Classification

CWE-601 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Issue Tracking