CVE-2024-8883 Information

Description

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a ‘Valid Redirect URI’ is set to http://localhost or http://127.0.0.1 enabling sensitive information such as authorization codes to be exposed to the attacker potentially leading to session hijacking.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Reference

https://access.redhat.com/security/cve/CVE-2024-8883 https://bugzilla.redhat.com/show_bug.cgi?id=2312511 https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java https://access.redhat.com/errata/RHSA-2024:6878 https://access.redhat.com/errata/RHSA-2024:6879 https://access.redhat.com/errata/RHSA-2024:6880 https://access.redhat.com/errata/RHSA-2024:6882 https://access.redhat.com/errata/RHSA-2024:6886 https://access.redhat.com/errata/RHSA-2024:6887 https://access.redhat.com/errata/RHSA-2024:6888 https://access.redhat.com/errata/RHSA-2024:6889 https://access.redhat.com/errata/RHSA-2024:6890

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.8