Description

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

Remediation

References

https://access.redhat.com/errata/RHSA-2018:3592

https://access.redhat.com/errata/RHSA-2018:3593

https://access.redhat.com/errata/RHSA-2018:3595

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658

Related Vulnerabilities

CVE-2021-33829 Vulnerability in npm package ckeditor4

CVE-2023-30519 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger

CVE-2023-34453 Vulnerability in maven package org.xerial.snappy:snappy-java

CVE-2018-11775 Vulnerability in maven package org.apache.activemq:activemq-all

CVE-2023-32261 Vulnerability in maven package org.jenkins-ci.plugins:dimensionsscm

Severity

High

Classification

CWE-601 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Issue Tracking