REDHAT-BUG-2312511
First published: Mon Sep 16 2024(Updated: )
It is possible to configure Keycloak in such a manner that any application with a 'Valid Redirect URI' set to <a href="http://localhost">http://localhost</a> or <a href="http://127.0.0.1">http://127.0.0.1</a> can be redirected to an arbitrary URL of the attackers choosing. In the process sensitive information such as the authorization code can be exposed to the attacker, resulting in possible session hijacking.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Keycloak |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://localhost
- http://127.0.0.1
- https://access.redhat.com/errata/RHSA-2024:6878
- https://access.redhat.com/errata/RHSA-2024:6879
- https://access.redhat.com/errata/RHSA-2024:6880
- https://access.redhat.com/errata/RHSA-2024:6882
- https://access.redhat.com/errata/RHSA-2024:6886
- https://access.redhat.com/errata/RHSA-2024:6888
- https://access.redhat.com/errata/RHSA-2024:6890
- https://access.redhat.com/errata/RHSA-2024:6887
- https://access.redhat.com/errata/RHSA-2024:6889
- https://access.redhat.com/errata/RHSA-2024:8824
- https://access.redhat.com/errata/RHSA-2024:8823
- https://access.redhat.com/errata/RHSA-2024:8826
- https://access.redhat.com/errata/RHSA-2024:10385
- https://access.redhat.com/errata/RHSA-2024:10386
- https://bugzilla.redhat.com/show_bug.cgi?id=2312511
Frequently Asked Questions
What is the severity of REDHAT-BUG-2312511?
The severity of REDHAT-BUG-2312511 is considered high due to its potential for arbitrary URL redirection.
How do I fix REDHAT-BUG-2312511?
To fix REDHAT-BUG-2312511, ensure that the 'Valid Redirect URI' settings do not include localhost or 127.0.0.1 in any applications.
What applications are affected by REDHAT-BUG-2312511?
REDHAT-BUG-2312511 affects configurations in Red Hat Build of Keycloak.
What kind of attack is possible due to REDHAT-BUG-2312511?
REDHAT-BUG-2312511 allows attackers to redirect users to arbitrary URLs, potentially leading to phishing attacks.
Is there a CVE associated with REDHAT-BUG-2312511?
Currently, there is no specific CVE associated with REDHAT-BUG-2312511.
- agent/severity
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-8883
- agent/references
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/keycloak