Bug 2255027 (CVE-2023-6927) - CVE-2023-6927 keycloak: open redirect via "form_post.jwt" JARM response mode
Summary: CVE-2023-6927 keycloak: open redirect via "form_post.jwt" JARM response mode
Keywords:
Status: NEW
Alias: CVE-2023-6927
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2023-6920 (view as bug list)
Depends On:
Blocks: 2255028
TreeView+ depends on / blocked
 
Reported: 2023-12-18 15:53 UTC by Mauro Matteo Cascella
Modified: 2024-04-23 15:28 UTC (History)
11 users (show)

Fixed In Version: keycloak 23.0.4
Doc Type: ---
Doc Text:
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0094 0 None None None 2024-01-09 16:06:13 UTC
Red Hat Product Errata RHSA-2024:0095 0 None None None 2024-01-09 16:06:32 UTC
Red Hat Product Errata RHSA-2024:0096 0 None None None 2024-01-09 16:06:09 UTC
Red Hat Product Errata RHSA-2024:0097 0 None None None 2024-01-09 17:04:08 UTC
Red Hat Product Errata RHSA-2024:0098 0 None None None 2024-01-09 16:08:53 UTC
Red Hat Product Errata RHSA-2024:0100 0 None None None 2024-01-09 17:37:14 UTC
Red Hat Product Errata RHSA-2024:0101 0 None None None 2024-01-09 16:42:19 UTC
Red Hat Product Errata RHSA-2024:0798 0 None None None 2024-02-13 16:53:31 UTC
Red Hat Product Errata RHSA-2024:0799 0 None None None 2024-02-13 16:52:47 UTC
Red Hat Product Errata RHSA-2024:0800 0 None None None 2024-02-13 16:53:15 UTC
Red Hat Product Errata RHSA-2024:0801 0 None None None 2024-02-13 16:54:34 UTC
Red Hat Product Errata RHSA-2024:0804 0 None None None 2024-02-13 17:08:05 UTC

Description Mauro Matteo Cascella 2023-12-18 15:53:08 UTC
An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134.

Comment 1 Mauro Matteo Cascella 2023-12-18 15:56:03 UTC
Red Hat would like to thankPontus Hanssen <Pontus.Hanssen> for reporting this issue.

Comment 3 Mauro Matteo Cascella 2023-12-18 16:22:46 UTC
*** Bug 2255024 has been marked as a duplicate of this bug. ***

Comment 6 errata-xmlrpc 2024-01-09 16:06:07 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:0096 https://access.redhat.com/errata/RHSA-2024:0096

Comment 7 errata-xmlrpc 2024-01-09 16:06:12 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:0094 https://access.redhat.com/errata/RHSA-2024:0094

Comment 8 errata-xmlrpc 2024-01-09 16:06:31 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:0095 https://access.redhat.com/errata/RHSA-2024:0095

Comment 9 errata-xmlrpc 2024-01-09 16:08:51 UTC
This issue has been addressed in the following products:

  Single Sign-On 7.6.6

Via RHSA-2024:0098 https://access.redhat.com/errata/RHSA-2024:0098

Comment 10 errata-xmlrpc 2024-01-09 16:42:17 UTC
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22.0.8

Via RHSA-2024:0101 https://access.redhat.com/errata/RHSA-2024:0101

Comment 11 errata-xmlrpc 2024-01-09 17:04:07 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:0097 https://access.redhat.com/errata/RHSA-2024:0097

Comment 12 errata-xmlrpc 2024-01-09 17:37:13 UTC
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:0100 https://access.redhat.com/errata/RHSA-2024:0100

Comment 13 errata-xmlrpc 2024-02-13 16:52:45 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:0799 https://access.redhat.com/errata/RHSA-2024:0799

Comment 14 errata-xmlrpc 2024-02-13 16:53:14 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:0800 https://access.redhat.com/errata/RHSA-2024:0800

Comment 15 errata-xmlrpc 2024-02-13 16:53:29 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:0798 https://access.redhat.com/errata/RHSA-2024:0798

Comment 16 errata-xmlrpc 2024-02-13 16:54:32 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:0801 https://access.redhat.com/errata/RHSA-2024:0801

Comment 17 errata-xmlrpc 2024-02-13 17:08:04 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:0804 https://access.redhat.com/errata/RHSA-2024:0804


Note You need to log in before you can comment on or make changes to this bug.