Main Vulnerability Database Vulnerabilities #VU16030

#VU16030 Open redirect in Keycloak - CVE-2018-14658

Published: November 23, 2018

Vulnerability identifier: #VU16030

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-14658

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.

The weakness exists due to the Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. A remote attacker can trick the victim into visiting a specially crafted website and redirect users to malicious website.

Remediation

Install update from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658

#VU16030 Open redirect in Keycloak - CVE-2018-14658

Description

Remediation

External links

Please verify you're human