CVE-2023-6291

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Published: Jan 26, 2024
Updated: May 9, 2024
CVE: CVE-2023-6291
GHSA: GHSA-mpwq-j3xf-7m5w
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWEs:

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	23.0.3
redhat / keycloak	-	22.0.7
redhat / openshift_container_platform	4.11	4.11.x
redhat / openshift_container_platform	4.12	4.12.x
redhat / openshift_container_platform_for_ibm_z	4.9	4.9.x
redhat / openshift_container_platform_for_ibm_z	4.10	4.10.x
redhat / openshift_container_platform_for_linuxone	4.9	4.9.x
redhat / openshift_container_platform_for_linuxone	4.10	4.10.x
redhat / openshift_container_platform_for_power	4.9	4.9.x
redhat / openshift_container_platform_for_power	4.10	4.10.x
redhat / single_sign-on	7.6	7.6.x
redhat / migration_toolkit_for_applications	6.0	6.0.x
redhat / migration_toolkit_for_applications	7.0	7.0.x

Vulnerability Database

289,571

CVE-2023-6291