Nixpkgs security tracker

Accepted

Permalink CVE-2023-6291

7.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

updated 1 year, 5 months ago by @LeSuisse Activity log

Created suggestion 1 year, 5 months ago
@LeSuisse accepted 1 year, 5 months ago

Keycloak: redirect_uri validation bypass

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

References

RHSA-2023:7854 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2023:7855 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2023:7856 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2023:7857 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2023:7858 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2023:7860 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2023:7861 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:0798 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:0799 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:0800 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:0801 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:0804 x_refsource_REDHATvendor-advisoryx_transferred
https://access.redhat.com/security/cve/CVE-2023-6291 vdb-entryx_refsource_REDHATx_transferred
RHBZ#2251407 x_refsource_REDHATissue-trackingx_transferred

Affected products

keycloak

rh-sso7-keycloak

rhbk/keycloak-rhel9

org.keycloak/keycloak-core

rhbk/keycloak-rhel9-operator

rhbk/keycloak-operator-bundle

rh-sso-7/sso76-openshift-rhel8

Red Hat build of Keycloak 22.0.7

rh-sso-7/sso7-rhel8-operator-bundle

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.0.6
- nixpkgs-unstable 26.0.6
- nixos-unstable-small 26.0.7

Package maintainers

@NickCao Nick Cao <nickcao@nichi.co>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.keycloak

Package maintainers