Description

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658

https://access.redhat.com/errata/RHSA-2018:3595

https://access.redhat.com/errata/RHSA-2018:3593

https://access.redhat.com/errata/RHSA-2018:3592

Related Vulnerabilities

CVE-2023-29507 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2018-1002204 Vulnerability in maven package org.webjars.npm:adm-zip

CVE-2015-7501 Vulnerability in maven package org.apache.commons:commons-collections4

CVE-2022-41226 Vulnerability in maven package com.compuware.jenkins:compuware-common-configuration

CVE-2021-20218 Vulnerability in maven package io.fabric8:kubernetes-client

Severity

High

Classification

CWE-601 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Vendor Advisory