A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Redhat |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Migration Toolkit for Runtimes 1 on RHEL 8 | |||
| mtr/mtr-operator-bundle:1.2-23 | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2024:3919 | 2024-06-13T00:00:00Z |
| mtr/mtr-rhel8-operator:1.2-15 | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2024:3919 | 2024-06-13T00:00:00Z |
| mtr/mtr-web-container-rhel8:1.2-16 | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2024:3919 | 2024-06-13T00:00:00Z |
| mtr/mtr-web-executor-container-rhel8:1.2-14 | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2024:3919 | 2024-06-13T00:00:00Z |
| MTA-6.2-RHEL-9 | |||
| mta/mta-windup-addon-rhel9:6.2.3-2 | cpe:/a:redhat:migration_toolkit_applications:6.2::el9 | RHSA-2024:3989 | 2024-06-20T00:00:00Z |
| Red Hat AMQ Broker 7 | |||
| keycloak | cpe:/a:redhat:amq_broker:7.10 | RHSA-2024:3752 | 2024-06-10T00:00:00Z |
| keycloak | cpe:/a:redhat:amq_broker:7.11 | RHSA-2024:3762 | 2024-06-10T00:00:00Z |
| keycloak | cpe:/a:redhat:amq_broker:7.12 | RHSA-2024:2945 | 2024-05-21T00:00:00Z |
| Red Hat build of Keycloak 22 | |||
| rhbk/keycloak-operator-bundle:22.0.10-1 | cpe:/a:redhat:build_keycloak:22::el9 | RHSA-2024:1867 | 2024-04-16T00:00:00Z |
| rhbk/keycloak-rhel9:22-13 | cpe:/a:redhat:build_keycloak:22::el9 | RHSA-2024:1867 | 2024-04-16T00:00:00Z |
| rhbk/keycloak-rhel9-operator:22-16 | cpe:/a:redhat:build_keycloak:22::el9 | RHSA-2024:1867 | 2024-04-16T00:00:00Z |
| Red Hat build of Keycloak 22.0.10 | |||
| keycloak | cpe:/a:redhat:build_keycloak:22 | RHSA-2024:1868 | 2024-04-16T00:00:00Z |
| Red Hat Single Sign-On 7.6 for RHEL 7 | |||
| rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el7sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 | RHSA-2024:1860 | 2024-04-16T00:00:00Z |
| Red Hat Single Sign-On 7.6 for RHEL 8 | |||
| rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el8sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 | RHSA-2024:1861 | 2024-04-16T00:00:00Z |
| Red Hat Single Sign-On 7.6 for RHEL 9 | |||
| rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el9sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 | RHSA-2024:1862 | 2024-04-16T00:00:00Z |
| RHEL-8 based Middleware Containers | |||
| rh-sso-7/sso76-openshift-rhel8:7.6-46 | cpe:/a:redhat:rhosemc:1.0::el8 | RHSA-2024:1864 | 2024-04-16T00:00:00Z |
| RHSSO 7.6.8 | |||
| keycloak | cpe:/a:redhat:red_hat_single_sign_on:7.6 | RHSA-2024:1866 | 2024-04-16T00:00:00Z |
No data.
Fixes
Solution
No solution given by the vendor.
Workaround
No current mitigation is available for this vulnerability.
References
History
Mon, 30 Jun 2025 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat build Of Keycloak
Redhat jboss Middleware Text-only Advisories Redhat keycloak Redhat migration Toolkit For Applications Redhat migration Toolkit For Runtimes Redhat openshift Container Platform Redhat openshift Container Platform For Ibm Z Redhat openshift Container Platform For Linuxone Redhat openshift Container Platform For Power Redhat single Sign-on |
|
| CPEs | cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:* cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:* cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:migration_toolkit_for_applications:1.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:* cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:* cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:* |
|
| Vendors & Products |
Redhat build Of Keycloak
Redhat jboss Middleware Text-only Advisories Redhat keycloak Redhat migration Toolkit For Applications Redhat migration Toolkit For Runtimes Redhat openshift Container Platform Redhat openshift Container Platform For Ibm Z Redhat openshift Container Platform For Linuxone Redhat openshift Container Platform For Power Redhat single Sign-on |
Wed, 18 Sep 2024 08:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2025-08-07T12:07:09.480Z
Reserved: 2024-01-31T17:07:33.455Z
Link: CVE-2024-1132
Vulnrichment
Updated: 2024-08-01T18:26:30.564Z
NVD
Status : Analyzed
Published: 2024-04-17T14:15:07.953
Modified: 2025-06-30T13:58:57.033
Link: CVE-2024-1132
Redhat
OpenCVE Enrichment
No data.