Bug 2301875 (CVE-2024-7260)

Summary: CVE-2024-7260 keycloak-core: Open Redirect on Account page
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, bihu, boliveir, chazlett, dpalmer, drichtar, jkoops, mposolda, mulliken, pdrozd, peholase, pjindal, pskopek, rmartinc, rowaters, security-response-team, ssilvert, sthorger, vmuzikar, wfink
Target Milestone: ---Keywords: Security
Target Release: ---Flags: boliveir: needinfo? (pdelbell)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-09-09   

Description Patrick Del Bello 2024-07-31 03:05:09 UTC 
A vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage; this vulnerability is called an Open Redirect.

A trusted URL can fool both users and automation into believing that the URL is safe when in fact it redirects to a malicious server. This can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.

Once a crafted URL is made, it can be sent to a Keycloak admin via email for example, and it will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can target users whom they know are Keycloak admins for further attacks in this way. It may be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. Finally, the malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
Comment 1 Bruno Oliveira 2024-07-31 14:51:30 UTC 
Please add the steps to reproduce.
Comment 2 errata-xmlrpc 2024-09-09 16:05:28 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:6502 https://access.redhat.com/errata/RHSA-2024:6502
Comment 3 errata-xmlrpc 2024-09-09 16:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6503 https://access.redhat.com/errata/RHSA-2024:6503