Description

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

Remediation

References

https://access.redhat.com/errata/RHSA-2018:3592

https://access.redhat.com/errata/RHSA-2018:3593

https://access.redhat.com/errata/RHSA-2018:3595

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658

Related Vulnerabilities

CVE-2017-1000118 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.11

CVE-2017-15682 Vulnerability in maven package org.craftercms:crafter-studio

CVE-2020-9482 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-web-api

CVE-2023-25158 Vulnerability in maven package org.geotools.jdbc:gt-jdbc-oracle

CVE-2021-41182 Vulnerability in npm package jquery-ui

Severity

High

Classification

CWE-601 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Issue Tracking