Moderate severityGHSA Advisory· Published Sep 19, 2024· Updated Apr 1, 2026
Keycloak: vulnerable redirect uri validation results in open redirec
CVE-2024-8883
Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 22.0.13 | 22.0.13 |
org.keycloak:keycloak-servicesMaven | >= 23.0.0, < 24.0.8 | 24.0.8 |
org.keycloak:keycloak-servicesMaven | >= 25.0.0, < 25.0.6 | 25.0.6 |
Affected products
10- Range: >= 25.0.0, <= 25.0.5
- osv-coords9 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:maven/org.keycloak/keycloak-services
< 25.0.6-r0+ 8 more
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 25.0.6-r0
- (no CPE)range: < 22.0.13
Patches
Vulnerability mechanics
References
21- access.redhat.com/errata/RHSA-2024:10385ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:10386ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6878ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6879ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6880ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6882ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6886ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6887ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6888ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6889ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6890ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:8823ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:8824ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:8826ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-w8gr-xwp4-r9f7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8883ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-8883ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.javaghsaWEB
- github.com/keycloak/keycloak/releases/tag/25.0.6ghsaWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-w8gr-xwp4-r9f7ghsaWEB
News mentions
0No linked articles in our index yet.