Open redirect in Keycloak - CVE-2018-14658
Published: November 23, 2018
Vulnerability identifier: #VU16030
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-14658
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.
The weakness exists due to the Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. A remote attacker can trick the victim into visiting a specially crafted website and redirect users to malicious website.
The weakness exists due to the Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. A remote attacker can trick the victim into visiting a specially crafted website and redirect users to malicious website.
How to mitigate CVE-2018-14658
Install update from vendor's website.