CVE-2024-7260

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:6502	Issue Tracking
https://access.redhat.com/errata/RHSA-2024:6503	Issue Tracking
https://access.redhat.com/security/cve/CVE-2024-7260	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2301875	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:build_of_keycloak::::::::
	cpe:2.3:a:redhat:keycloak::::::::

History

No history.

Information

Published : 2024-09-09 19:15

Updated : 2024-10-01 14:15

NVD link : CVE-2024-7260

Mitre link : CVE-2024-7260

CVE.ORG link : CVE-2024-7260

JSON object : View

Products Affected

redhat

keycloak
build_of_keycloak

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2024-7260", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-09-09T19:15:14.033", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6502", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:6503", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7260", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301875", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.\r\n\r\nOnce a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de redirecci\u00f3n abierta en Keycloak. Se puede construir una URL especialmente manipulada donde los par\u00e1metros referrer y referrer_uri se crean para enga\u00f1ar a un usuario para que visite una p\u00e1gina web maliciosa. Una URL confiable puede enga\u00f1ar a los usuarios y a la automatizaci\u00f3n haci\u00e9ndoles creer que la URL es segura, cuando, de hecho, redirecciona a un servidor malicioso. Este problema puede provocar que una v\u00edctima conf\u00ede inadvertidamente en el destino de la redirecci\u00f3n, lo que puede llevar a un ataque de phishing exitoso u otros tipos de ataques. Una vez que se crea una URL manipulada, se puede enviar a un administrador de Keycloak por correo electr\u00f3nico, por ejemplo. Esto activar\u00e1 esta vulnerabilidad cuando el usuario visite la p\u00e1gina y haga clic en el enlace. Un actor malicioso puede usar esto para apuntar a usuarios que sabe que son administradores de Keycloak para futuros ataques. Tambi\u00e9n puede ser posible eludir otros controles de seguridad relacionados con el dominio, como proporcionar esto como una URL de redireccionamiento de OAuth. El actor malicioso puede ofuscar a\u00fan m\u00e1s la redirect_uri mediante la codificaci\u00f3n de URL, para ocultar el texto del dominio real del sitio web malicioso."}], "lastModified": "2024-10-01T14:15:06.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "802E2FCC-19AA-419E-8A1B-50E8F612A687", "versionEndExcluding": "24.0.7"}, {"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78B09F16-131D-4A15-9D00-A085F210E717", "versionEndExcluding": "24.0.7"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}