2269371 – (CVE-2024-2419) CVE-2024-2419 keycloak: path traversal in the redirect validation

Bug 2269371 (CVE-2024-2419) - CVE-2024-2419 keycloak: path traversal in the redirect validation

Summary: CVE-2024-2419 keycloak: path traversal in the redirect validation

Keywords:
Status:	NEW
Alias:	CVE-2024-2419
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2269370
TreeView+	depends on / blocked

Reported:	2024-03-13 13:18 UTC by Patrick Del Bello
Modified:	2024-04-16 20:26 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1867	0	None	None	None	2024-04-16 20:26:51 UTC

Description Patrick Del Bello 2024-03-13 13:18:48 UTC

An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts.

Comment 4 errata-xmlrpc 2024-04-16 20:26:50 UTC

This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:1867 https://access.redhat.com/errata/RHSA-2024:1867

Note You need to log in before you can comment on or make changes to this bug.