A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Redhat
  • Amq Broker
  • Build Keycloak
  • Jboss Data Grid
  • Jboss Enterprise Application Platform
  • Jboss Enterprise Bpms Platform
  • Jboss Enterprise Brms Platform
  • Jboss Fuse
  • Migration Toolkit Applications
  • Migration Toolkit Runtimes
  • Quarkus
  • Red Hat Single Sign On
  • Rhosemc
  • Service Registry

No data.

Package CPE Advisory Released Date
Migration Toolkit for Runtimes 1 on RHEL 8
mtr/mtr-operator-bundle:1.2-23 cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 RHSA-2024:3919 2024-06-13T00:00:00Z
mtr/mtr-rhel8-operator:1.2-15 cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 RHSA-2024:3919 2024-06-13T00:00:00Z
mtr/mtr-web-container-rhel8:1.2-16 cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 RHSA-2024:3919 2024-06-13T00:00:00Z
mtr/mtr-web-executor-container-rhel8:1.2-14 cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 RHSA-2024:3919 2024-06-13T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-windup-addon-rhel9:6.2.3-2 cpe:/a:redhat:migration_toolkit_applications:6.2::el9 RHSA-2024:3989 2024-06-20T00:00:00Z
Red Hat build of Keycloak 22
rhbk/keycloak-operator-bundle:22.0.10-1 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:1867 2024-04-16T00:00:00Z
rhbk/keycloak-rhel9:22-13 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:1867 2024-04-16T00:00:00Z
rhbk/keycloak-rhel9-operator:22-16 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:1867 2024-04-16T00:00:00Z
Red Hat build of Keycloak 22.0.10
keycloak cpe:/a:redhat:build_keycloak:22 RHSA-2024:1868 2024-04-16T00:00:00Z
Red Hat JBoss A-MQ 7
keycloak cpe:/a:redhat:amq_broker:7.10 RHSA-2024:3752 2024-06-10T00:00:00Z
keycloak cpe:/a:redhat:amq_broker:7.11 RHSA-2024:3762 2024-06-10T00:00:00Z
keycloak cpe:/a:redhat:amq_broker:7.12 RHSA-2024:2945 2024-05-21T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el7sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 RHSA-2024:1860 2024-04-16T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el8sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 RHSA-2024:1861 2024-04-16T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el9sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 RHSA-2024:1862 2024-04-16T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-46 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2024:1864 2024-04-16T00:00:00Z
RHSSO 7.6.8
keycloak cpe:/a:redhat:red_hat_single_sign_on:7.6 RHSA-2024:1866 2024-04-16T00:00:00Z
References
Link Providers
https://access.redhat.com/errata/RHSA-2024:1860 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1861 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1862 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1864 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1866 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1867 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1868 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2945 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3752 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3762 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3919 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3989 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-1132 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-1132 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-1132 cve-icon
History

Wed, 18 Sep 2024 08:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-17T13:21:19.130Z

Updated: 2024-09-17T00:22:32.964Z

Reserved: 2024-01-31T17:07:33.455Z

Link: CVE-2024-1132

cve-icon Vulnrichment

Updated: 2024-08-01T18:26:30.564Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-17T14:15:07.953

Modified: 2024-07-03T01:45:01.507

Link: CVE-2024-1132

cve-icon Redhat

Severity : Important

Publid Date: 2024-04-16T00:00:00Z

Links: CVE-2024-1132 - Bugzilla