Bug 2312511 (CVE-2024-8883)

Summary: CVE-2024-8883 Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhraj, aschwart, asoldano, bbaranow, bihu, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drichtar, fjuma, istudens, ivassile, iweiss, jkoops, lgao, mosmerov, mposolda, msochure, msvehla, nwallace, pdrozd, peholase, pesilva, pjindal, pmackay, pskopek, rmartinc, rowaters, rstancel, security-response-team, smaestri, ssilvert, sthorger, tom.jenkinson, vmuzikar, wfink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed: Yes
Deadline: 2024-09-19   

Description OSIDB Bzimport 2024-09-16 06:28:19 UTC 
It is possible to configure Keycloak in such a manner that any application with a 'Valid Redirect URI' set to http://localhost or http://127.0.0.1 can be redirected to an arbitrary URL of the attackers choosing. In the process sensitive information such as the authorization code can be exposed to the attacker, resulting in possible session hijacking.
Comment 3 errata-xmlrpc 2024-09-19 16:41:17 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:6878 https://access.redhat.com/errata/RHSA-2024:6878
Comment 4 errata-xmlrpc 2024-09-19 16:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:6879 https://access.redhat.com/errata/RHSA-2024:6879
Comment 5 errata-xmlrpc 2024-09-19 16:41:34 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:6880 https://access.redhat.com/errata/RHSA-2024:6880
Comment 6 errata-xmlrpc 2024-09-19 16:45:46 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:6882 https://access.redhat.com/errata/RHSA-2024:6882
Comment 7 errata-xmlrpc 2024-09-19 16:54:29 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:6886 https://access.redhat.com/errata/RHSA-2024:6886
Comment 8 errata-xmlrpc 2024-09-19 17:02:46 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6888 https://access.redhat.com/errata/RHSA-2024:6888
Comment 9 errata-xmlrpc 2024-09-19 17:06:38 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6890 https://access.redhat.com/errata/RHSA-2024:6890
Comment 10 errata-xmlrpc 2024-09-19 17:07:01 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6887 https://access.redhat.com/errata/RHSA-2024:6887
Comment 11 errata-xmlrpc 2024-09-19 17:10:45 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:6889 https://access.redhat.com/errata/RHSA-2024:6889
Comment 12 errata-xmlrpc 2024-11-04 20:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:8824 https://access.redhat.com/errata/RHSA-2024:8824
Comment 13 errata-xmlrpc 2024-11-04 20:12:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:8823 https://access.redhat.com/errata/RHSA-2024:8823
Comment 14 errata-xmlrpc 2024-11-04 20:56:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:8826 https://access.redhat.com/errata/RHSA-2024:8826
Comment 15 errata-xmlrpc 2024-11-26 15:35:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:10385 https://access.redhat.com/errata/RHSA-2024:10385
Comment 16 errata-xmlrpc 2024-11-26 15:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:10386 https://access.redhat.com/errata/RHSA-2024:10386