Vulnerability DatabaseCVE-2024-8883
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-8883
September 19, 2024
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Affected Packages
org.keycloak:keycloak-services (JAVA):
Affected version(s) >=25.0.0 <25.0.6
Fix Suggestion:
Update to version 25.0.6
Related Resources (21)
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
https://access.redhat.com/errata/RHSA-2024:10385
https://access.redhat.com/errata/RHSA-2024:6886
https://access.redhat.com/errata/RHSA-2024:6887
https://access.redhat.com/errata/RHSA-2024:8823
https://bugzilla.redhat.com/show_bug.cgi?id=2312511
https://access.redhat.com/errata/RHSA-2024:6890
https://access.redhat.com/errata/RHSA-2024:6888
https://access.redhat.com/errata/RHSA-2024:6889
https://access.redhat.com/errata/RHSA-2024:10386
https://github.com/keycloak/keycloak/releases/tag/25.0.6
https://access.redhat.com/errata/RHSA-2024:6880
https://access.redhat.com/errata/RHSA-2024:6879
https://access.redhat.com/security/cve/CVE-2024-8883
https://access.redhat.com/errata/RHSA-2024:8824
https://nvd.nist.gov/vuln/detail/CVE-2024-8883
https://access.redhat.com/errata/RHSA-2024:8826
https://access.redhat.com/errata/RHSA-2024:6882
https://github.com/keycloak/keycloak/security/advisories/GHSA-w8gr-xwp4-r9f7
https://github.com/keycloak/keycloak
https://access.redhat.com/errata/RHSA-2024:6878
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
EPSS
Base Score:
4.97