Bug 2255024 (CVE-2023-6920)

Summary: CVE-2023-6920 keycloak-core: Reflected XSS via wildcard in OIDC redirect_uri. Incomplete fix of CVE-2023-6134
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: boliveir, chazlett, drichtar, mcascell, mulliken, pdrozd, peholase, pjindal, pskopek, rowaters, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An incomplete fix was found in the Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". Changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-18 16:22:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2255023    

Description Patrick Del Bello 2023-12-18 15:01:34 UTC 
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134.
Comment 2 Mauro Matteo Cascella 2023-12-18 16:22:46 UTC 

*** This bug has been marked as a duplicate of bug 2255027 ***