Keycloak Open Redirect

GHSA-3qh2-mccc-q5m6 · CVE-2018-14658

Published May 13, 2022 · Modified Feb 16, 2024

Description

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-14658
WEB https://access.redhat.com/errata/RHSA-2018:3592
WEB https://access.redhat.com/errata/RHSA-2018:3593
WEB https://access.redhat.com/errata/RHSA-2018:3595
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes