PT-2018-12648 · Red Hat · Jboss Keycloak+1

Laura Pardo

Publicado

2018-11-13

Atualizado

2022-05-13

CVE-2018-14658

CVSS v3.1

6.1

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions JBOSS Keycloak version 3.2.1.Final

Description A flaw was found in the software where the Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack.

Recommendations For JBOSS Keycloak version 3.2.1.Final, consider disabling the org.keycloak.protocol.oidc.utils.RedirectUtils function until a patch is available to prevent potential Open Redirection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Open Redirect

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-601

Identificadores relacionados

CVE-2018-14658

GHSA-3QH2-MCCC-Q5M6

RHSA-2018:3592

RHSA-2018:3593

Produtos afetados

Jboss Keycloak

Keycloak

PT-2018-12648 · Red Hat · Jboss Keycloak+1

CVE-2018-14658

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8