A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Redhat
  • Build Keycloak
  • Jboss Enterprise Application Platform
  • Red Hat Single Sign On
  • Rhosemc

No data.

Package CPE Advisory Released Date
Red Hat Build of Keycloak
org.keycloak/keycloak-services cpe:/a:redhat:build_keycloak:22 RHSA-2024:6888 2024-09-19T00:00:00Z
org.keycloak/keycloak-services cpe:/a:redhat:build_keycloak:24 RHSA-2024:6890 2024-09-19T00:00:00Z
Red Hat build of Keycloak 22
rhbk/keycloak-operator-bundle:22.0.13-1 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:6887 2024-09-19T00:00:00Z
rhbk/keycloak-rhel9:22-18 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:6887 2024-09-19T00:00:00Z
rhbk/keycloak-rhel9-operator:22-21 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:6887 2024-09-19T00:00:00Z
Red Hat build of Keycloak 24
rhbk/keycloak-operator-bundle:24.0.8-1 cpe:/a:redhat:build_keycloak:24::el9 RHSA-2024:6889 2024-09-19T00:00:00Z
rhbk/keycloak-rhel9:24-17 cpe:/a:redhat:build_keycloak:24::el9 RHSA-2024:6889 2024-09-19T00:00:00Z
rhbk/keycloak-rhel9-operator:24-17 cpe:/a:redhat:build_keycloak:24::el9 RHSA-2024:6889 2024-09-19T00:00:00Z
Red Hat Single Sign-On 7
org.keycloak/keycloak-services cpe:/a:redhat:red_hat_single_sign_on:7.6 RHSA-2024:6886 2024-09-19T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el7sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 RHSA-2024:6878 2024-09-19T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el8sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 RHSA-2024:6879 2024-09-19T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.18-1.redhat_00001.1.el9sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 RHSA-2024:6880 2024-09-19T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-54 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2024:6882 2024-09-19T00:00:00Z
References
Link Providers
https://access.redhat.com/errata/RHSA-2024:6878 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6879 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6880 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6882 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6886 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6887 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6888 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6889 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6890 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-8883 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2312511 cve-icon cve-icon
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-8883 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-8883 cve-icon
History

Thu, 19 Sep 2024 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhosemc
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:red_hat_single_sign_on:7		 cpe:/a:redhat:build_keycloak:22
cpe:/a:redhat:build_keycloak:22::el9
cpe:/a:redhat:build_keycloak:24
cpe:/a:redhat:build_keycloak:24::el9
cpe:/a:redhat:red_hat_single_sign_on:7.6
cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc
References

Thu, 19 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 19 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Sep 2024 16:00:00 +0000

Type Values Removed Values Added
Description A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Title Keycloak: vulnerable redirect uri validation results in open redirec
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat red Hat Single Sign On
Weaknesses CWE-601
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-09-19T15:48:28.468Z

Updated: 2024-09-19T19:49:20.694Z

Reserved: 2024-09-16T06:45:30.550Z

Link: CVE-2024-8883

cve-icon Vulnrichment

Updated: 2024-09-19T17:56:46.135Z

cve-icon NVD

Status : Received

Published: 2024-09-19T16:15:06.403

Modified: 2024-09-19T20:15:07.687

Link: CVE-2024-8883

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-19T15:13:00Z

Links: CVE-2024-8883 - Bugzilla