CVE-2023-6291

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw was found in the redirect uri validation logic in Keycloak, which may allow a bypass of otherwise explicitly allowed hosts. This issue arises due to a desynchronization in how Keycloak and browsers interpret URLs, specifically in the verifyRedirectUri method. The validation logic is performed on a URL decoded version, which no longer represents the original input. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.