关键信息 Bug 2312511 (CVE-2024-8883) - CVE-2024-8883 Keycloak: Vulnerable Redirect URI Validation Results in Open Redirect Bug Details Reported: 2024-09-16 06:28 UTC by OSIDB Bzimport Modified: 2024-09-19 15:14 UTC CC List: 34 users Fixed In Version: Not specified Doc Type: If docs needed, set a value Doc Text: A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to or , enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. Vulnerability Details Product: Security Response Component: vulnerability Version: unspecified Hardware: All OS: Linux Priority: medium Severity: medium Additional Information Target Milestone: --- Assignee: Product Security DevOps Team QA Contact: Not specified Docs Contact: Not specified URL: Not specified Whiteboard: Not specified Depends On: Not specified Blocks: Not specified TreeView+ depends on / blocked: Not specified Attachments Description: It is possible to configure Keycloak in such a manner that any application with a 'Valid Redirect URI' set to or can be redirected to an arbitrary URL of the attackers choosing. In the process, sensitive information such as the authorization code can be exposed to the attacker, resulting in possible session hijacking. Note You need to log in before you can comment on or make changes to this bug.