CVE-2024-8883

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Credits

Red Hat would like to thank Karsten Meyer zu Selhausen and Niklas Conrad for reporting this issue.

References

https://access.redhat.com/errata/RHSA-2024:10385

https://access.redhat.com/errata/RHSA-2024:10386

https://access.redhat.com/errata/RHSA-2024:6878

https://access.redhat.com/errata/RHSA-2024:6879

https://access.redhat.com/errata/RHSA-2024:6880

https://access.redhat.com/errata/RHSA-2024:6882

https://access.redhat.com/errata/RHSA-2024:6886

https://access.redhat.com/errata/RHSA-2024:6887

https://access.redhat.com/errata/RHSA-2024:6888

https://access.redhat.com/errata/RHSA-2024:6889

https://access.redhat.com/errata/RHSA-2024:6890

https://access.redhat.com/errata/RHSA-2024:8823

https://access.redhat.com/errata/RHSA-2024:8824

https://access.redhat.com/errata/RHSA-2024:8826

https://access.redhat.com/security/cve/CVE-2024-8883

https://bugzilla.redhat.com/show_bug.cgi?id=2312511

https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java