PT-2018-12648 · Red Hat · Jboss Keycloak+1

Laura Pardo

Published

2018-11-13

Updated

2022-05-13

CVE-2018-14658

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions JBOSS Keycloak version 3.2.1.Final

Description A flaw was found in the software where the Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack.

Recommendations For JBOSS Keycloak version 3.2.1.Final, consider disabling the org.keycloak.protocol.oidc.utils.RedirectUtils function until a patch is available to prevent potential Open Redirection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2018-14658

GHSA-3QH2-MCCC-Q5M6

RHSA-2018:3592

RHSA-2018:3593

Affected Products

Jboss Keycloak

Keycloak

PT-2018-12648 · Red Hat · Jboss Keycloak+1

CVE-2018-14658

Weakness Enumeration

Related Identifiers

Affected Products

References · 8