Nixpkgs security tracker
Untriaged
Permalink
CVE-2024-1132
8.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Keycloak: path transversal in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
References
Affected products
keycloak
- <24.0.3
- <22.0.10
upstream
keycloak-core
rh-sso7-keycloak
- *
rhbk/keycloak-rhel9
- *
Red Hat AMQ Broker 7
mtr/mtr-rhel8-operator
- *
mtr/mtr-operator-bundle
- *
mta/mta-windup-addon-rhel9
- *
org.keycloak/keycloak-core
mtr/mtr-web-container-rhel8
- *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
- *
rhbk/keycloak-operator-bundle
- *
rh-sso-7/sso76-openshift-rhel8
- *
Red Hat build of Keycloak 22.0.10
mtr/mtr-web-executor-container-rhel8
- *
org.wildfly.security-wildfly-elytron-parent
Matching in nixpkgs
pkgs.keycloak
Identity and access management for modern applications and services
pkgs.terraform-providers.keycloak
None
pkgs.python311Packages.python-keycloak
Provides access to the Keycloak API
pkgs.python312Packages.python-keycloak
Provides access to the Keycloak API
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>