Vulnerability Details CVE-2024-1132
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 47.1%
CVSS Severity
CVSS v3 Score 8.1
References
- https://access.redhat.com/errata/RHSA-2024:1860
- https://access.redhat.com/errata/RHSA-2024:1861
- https://access.redhat.com/errata/RHSA-2024:1862
- https://access.redhat.com/errata/RHSA-2024:1864
- https://access.redhat.com/errata/RHSA-2024:1866
- https://access.redhat.com/errata/RHSA-2024:1867
- https://access.redhat.com/errata/RHSA-2024:1868
- https://access.redhat.com/errata/RHSA-2024:2945
- https://access.redhat.com/errata/RHSA-2024:3752
- https://access.redhat.com/errata/RHSA-2024:3762
- https://access.redhat.com/errata/RHSA-2024:3919
- https://access.redhat.com/errata/RHSA-2024:3989
- https://access.redhat.com/security/cve/CVE-2024-1132
- https://bugzilla.redhat.com/show_bug.cgi?id=2262117
- https://access.redhat.com/errata/RHSA-2024:1860
- https://access.redhat.com/errata/RHSA-2024:1861
- https://access.redhat.com/errata/RHSA-2024:1862
- https://access.redhat.com/errata/RHSA-2024:1864
- https://access.redhat.com/errata/RHSA-2024:1866
- https://access.redhat.com/errata/RHSA-2024:1867
- https://access.redhat.com/errata/RHSA-2024:1868
- https://access.redhat.com/errata/RHSA-2024:2945
- https://access.redhat.com/errata/RHSA-2024:3752
- https://access.redhat.com/errata/RHSA-2024:3762
- https://access.redhat.com/errata/RHSA-2024:3919
- https://access.redhat.com/errata/RHSA-2024:3989
- https://access.redhat.com/security/cve/CVE-2024-1132
- https://bugzilla.redhat.com/show_bug.cgi?id=2262117
Products affected by CVE-2024-1132
-
cpe:2.3:a:redhat:build_of_keycloak:-
-
cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0
-
cpe:2.3:a:redhat:keycloak:21.1.0
-
cpe:2.3:a:redhat:keycloak:22.0.2
-
cpe:2.3:a:redhat:keycloak:22.0.7
-
cpe:2.3:a:redhat:keycloak:22.0.8
-
cpe:2.3:a:redhat:keycloak:22.0.9
-
cpe:2.3:a:redhat:keycloak:23.0.0
-
cpe:2.3:a:redhat:keycloak:23.0.1
-
cpe:2.3:a:redhat:keycloak:23.0.2
-
cpe:2.3:a:redhat:keycloak:23.0.3
-
cpe:2.3:a:redhat:keycloak:23.0.4
-
cpe:2.3:a:redhat:keycloak:23.0.5
-
cpe:2.3:a:redhat:keycloak:23.0.6
-
cpe:2.3:a:redhat:keycloak:23.0.7
-
cpe:2.3:a:redhat:keycloak:24.0.0
-
cpe:2.3:a:redhat:keycloak:24.0.1
-
cpe:2.3:a:redhat:keycloak:24.0.2
-
cpe:2.3:a:redhat:migration_toolkit_for_applications:1.0
-
cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-
-
cpe:2.3:a:redhat:openshift_container_platform:4.11
-
cpe:2.3:a:redhat:openshift_container_platform:4.12
-
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10
-
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9
-
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10
-
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9
-
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10
-
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9
-
cpe:2.3:a:redhat:single_sign-on:-
-
cpe:2.3:a:redhat:single_sign-on:7.6