CVE-2023-6134

Summary

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 2222.0.7-1 < *unaffected
Red HatRed Hat build of Keycloak 2222-6 < *unaffected
Red HatRed Hat build of Keycloak 2222-9 < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.11-2.redhat_00003.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.12-1.redhat_00001.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.11-2.redhat_00003.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.12-1.redhat_00001.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.11-2.redhat_00003.1.el9sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.12-1.redhat_00001.1.el9sso < *unaffected
Red HatRHEL-8 based Middleware Containers7.6-38 < *unaffected
Red HatRHEL-8 based Middleware Containers7.6.6-2 < *unaffected
Red HatRHEL-8 based Middleware Containers7.6-41 < *unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

References