Description
Keycloak allows an unauthenticated attacker to send arbitrary values in 'request_uri' parameter and interact with internal network resources which is otherwise not accessible externally. An attacker may use this feature to perform Blind SSRF (Server-side request forgery) attacks on the server.
Remediation
Upgrade to the latest version of Keycloak