Moderate severityNVD Advisory· Published Dec 14, 2023· Updated Feb 25, 2026
Keycloak: reflected xss via wildcard in oidc redirect_uri
CVE-2023-6134
Description
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 23.0.3 | 23.0.3 |
Affected products
9- Red Hat/Red Hat build of Keycloak 22.0.7v5cpe:/a:redhat:build_keycloak:22
cpe:/a:redhat:red_hat_single_sign_on:7.6+ 4 more
- cpe:/a:redhat:red_hat_single_sign_on:7.6
- cpe:/a:redhat:red_hat_single_sign_on:7.6.6
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el7range: 0:18.0.12-1.redhat_00001.1.el7sso
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el8range: 0:18.0.12-1.redhat_00001.1.el8sso
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el9range: 0:18.0.12-1.redhat_00001.1.el9sso
- Red Hat/RHEL-8 based Middleware Containersv5cpe:/a:redhat:rhosemc:1.0::el8Range: 7.6-41
Patches
Vulnerability mechanics
References
18- access.redhat.com/errata/RHSA-2023:7854ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7855ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7856ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7857ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7858ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7860ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7861ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0798mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0799mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0800mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0801mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0804mitrevendor-advisoryx_refsource_REDHAT
- github.com/advisories/GHSA-cvg2-7c3j-g36jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6134ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6134ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd20ghsaWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36jghsaWEB
News mentions
0No linked articles in our index yet.