CVE-2024-1132

Keycloak: path transversal in redirection validation

CVSS 8.1 HIGHEPSS 1.6%CWE-22

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.1EPSS 1.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

17 abr 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Produtos afetados

keycloakRed Hat · Migration Toolkit for Runtimes 1 on RHEL 8 Red Hat · MTA-6.2-RHEL-9 Red Hat · Red Hat AMQ Broker 7 Red Hat · Red Hat build of Apicurio Registry 2 Red Hat · Red Hat build of Keycloak 22 Red Hat · Red Hat build of Keycloak 22.0.10 Red Hat · Red Hat build of Quarkus Red Hat · Red Hat Data Grid 8 Red Hat · Red Hat Decision Manager 7 Red Hat · Red Hat Fuse 7 Red Hat · Red Hat JBoss Data Grid 7 Red Hat · Red Hat JBoss Enterprise Application Platform 6 Red Hat · Red Hat JBoss Enterprise Application Platform 7 Red Hat · Red Hat Process Automation 7 Red Hat · Red Hat Single Sign-On 7.6 for RHEL 7 Red Hat · Red Hat Single Sign-On 7.6 for RHEL 8 Red Hat · Red Hat Single Sign-On 7.6 for RHEL 9 Red Hat · RHEL-8 based Middleware Containers Red Hat · RHSSO 7.6.8

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências