This bug is in the 'Embargoed' Data Category and access to this data must be restricted as per the Data Reuse Policy.
Bug 2312511 (CVE-2024-8883) - CVE-2024-8883 Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec
Summary: CVE-2024-8883 Keycloak: Vulnerable Redirect URI Validation Results in Open Re...
Keywords:
Status: NEW
Alias: CVE-2024-8883
Deadline: 2024-09-19
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-16 06:28 UTC by OSIDB Bzimport
Modified: 2025-05-02 16:23 UTC (History)
41 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed: Yes

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:10385 0 None None None 2024-11-26 15:35:28 UTC
Red Hat Product Errata RHSA-2024:10386 0 None None None 2024-11-26 15:36:04 UTC
Red Hat Product Errata RHSA-2024:6878 0 None None None 2024-09-19 16:41:19 UTC
Red Hat Product Errata RHSA-2024:6879 0 None None None 2024-09-19 16:41:24 UTC
Red Hat Product Errata RHSA-2024:6880 0 None None None 2024-09-19 16:41:36 UTC
Red Hat Product Errata RHSA-2024:6882 0 None None None 2024-09-19 16:45:49 UTC
Red Hat Product Errata RHSA-2024:6886 0 None None None 2024-09-19 16:54:31 UTC
Red Hat Product Errata RHSA-2024:6887 0 None None None 2024-09-19 17:07:04 UTC
Red Hat Product Errata RHSA-2024:6888 0 None None None 2024-09-19 17:02:48 UTC
Red Hat Product Errata RHSA-2024:6889 0 None None None 2024-09-19 17:10:47 UTC
Red Hat Product Errata RHSA-2024:6890 0 None None None 2024-09-19 17:06:41 UTC
Red Hat Product Errata RHSA-2024:8823 0 None None None 2024-11-04 20:12:13 UTC
Red Hat Product Errata RHSA-2024:8824 0 None None None 2024-11-04 20:11:49 UTC
Red Hat Product Errata RHSA-2024:8826 0 None None None 2024-11-04 20:56:40 UTC

Description OSIDB Bzimport 2024-09-16 06:28:19 UTC 
It is possible to configure Keycloak in such a manner that any application with a 'Valid Redirect URI' set to http://localhost or http://127.0.0.1 can be redirected to an arbitrary URL of the attackers choosing. In the process sensitive information such as the authorization code can be exposed to the attacker, resulting in possible session hijacking.
Comment 3 errata-xmlrpc 2024-09-19 16:41:17 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:6878 https://access.redhat.com/errata/RHSA-2024:6878
Comment 4 errata-xmlrpc 2024-09-19 16:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:6879 https://access.redhat.com/errata/RHSA-2024:6879
Comment 5 errata-xmlrpc 2024-09-19 16:41:34 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:6880 https://access.redhat.com/errata/RHSA-2024:6880
Comment 6 errata-xmlrpc 2024-09-19 16:45:46 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:6882 https://access.redhat.com/errata/RHSA-2024:6882
Comment 7 errata-xmlrpc 2024-09-19 16:54:29 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:6886 https://access.redhat.com/errata/RHSA-2024:6886
Comment 8 errata-xmlrpc 2024-09-19 17:02:46 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6888 https://access.redhat.com/errata/RHSA-2024:6888
Comment 9 errata-xmlrpc 2024-09-19 17:06:38 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6890 https://access.redhat.com/errata/RHSA-2024:6890
Comment 10 errata-xmlrpc 2024-09-19 17:07:01 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6887 https://access.redhat.com/errata/RHSA-2024:6887
Comment 11 errata-xmlrpc 2024-09-19 17:10:45 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:6889 https://access.redhat.com/errata/RHSA-2024:6889
Comment 12 errata-xmlrpc 2024-11-04 20:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:8824 https://access.redhat.com/errata/RHSA-2024:8824
Comment 13 errata-xmlrpc 2024-11-04 20:12:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:8823 https://access.redhat.com/errata/RHSA-2024:8823
Comment 14 errata-xmlrpc 2024-11-04 20:56:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:8826 https://access.redhat.com/errata/RHSA-2024:8826
Comment 15 errata-xmlrpc 2024-11-26 15:35:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:10385 https://access.redhat.com/errata/RHSA-2024:10385
Comment 16 errata-xmlrpc 2024-11-26 15:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:10386 https://access.redhat.com/errata/RHSA-2024:10386
Note You need to log in before you can comment on or make changes to this bug.