Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Accepted
Permalink CVE-2023-6291
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Keycloak: redirect_uri validation bypass

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

References

Affected products

keycloak
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
org.keycloak/keycloak-core
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
Red Hat build of Keycloak 22.0.7
rh-sso-7/sso7-rhel8-operator-bundle
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers