CVE-2024-1132
Keycloak: path transversal in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected products
keycloakRed Hat · Migration Toolkit for Runtimes 1 on RHEL 8Red Hat · MTA-6.2-RHEL-9Red Hat · Red Hat AMQ Broker 7Red Hat · Red Hat build of Apicurio Registry 2Red Hat · Red Hat build of Keycloak 22Red Hat · Red Hat build of Keycloak 22.0.10Red Hat · Red Hat build of QuarkusRed Hat · Red Hat Data Grid 8Red Hat · Red Hat Decision Manager 7Red Hat · Red Hat Fuse 7Red Hat · Red Hat JBoss Data Grid 7Red Hat · Red Hat JBoss Enterprise Application Platform 6Red Hat · Red Hat JBoss Enterprise Application Platform 7Red Hat · Red Hat Process Automation 7Red Hat · Red Hat Single Sign-On 7.6 for RHEL 7Red Hat · Red Hat Single Sign-On 7.6 for RHEL 8Red Hat · Red Hat Single Sign-On 7.6 for RHEL 9Red Hat · RHEL-8 based Middleware ContainersRed Hat · RHSSO 7.6.8Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://access.redhat.com/errata/RHSA-2024:1860https://access.redhat.com/errata/RHSA-2024:1861https://access.redhat.com/errata/RHSA-2024:1862https://access.redhat.com/errata/RHSA-2024:1864https://access.redhat.com/errata/RHSA-2024:1866https://access.redhat.com/errata/RHSA-2024:1867https://access.redhat.com/errata/RHSA-2024:1868https://access.redhat.com/errata/RHSA-2024:2945https://access.redhat.com/errata/RHSA-2024:3752https://access.redhat.com/errata/RHSA-2024:3762https://access.redhat.com/errata/RHSA-2024:3919https://access.redhat.com/errata/RHSA-2024:3989