CVE-2023-6291: Keycloak: redirect_uri validation bypass
Description
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
Classification
CVE ID: CVE-2023-6291
Affected Products
Vendor: Red Hat
Product: Red Hat build of Keycloak 22
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.34% (probability of being exploited)
EPSS Percentile: 71.36% (scored less or equal to compared to others)
EPSS Date: 2025-02-04 (when was this score calculated)
References
https://access.redhat.com/errata/RHSA-2023:7854https://access.redhat.com/errata/RHSA-2023:7855
https://access.redhat.com/errata/RHSA-2023:7856
https://access.redhat.com/errata/RHSA-2023:7857
https://access.redhat.com/errata/RHSA-2023:7858
https://access.redhat.com/errata/RHSA-2023:7860
https://access.redhat.com/errata/RHSA-2023:7861
https://access.redhat.com/errata/RHSA-2024:0798
https://access.redhat.com/errata/RHSA-2024:0799
https://access.redhat.com/errata/RHSA-2024:0800
https://access.redhat.com/errata/RHSA-2024:0801
https://access.redhat.com/errata/RHSA-2024:0804
https://access.redhat.com/security/cve/CVE-2023-6291
https://bugzilla.redhat.com/show_bug.cgi?id=2251407