CVE-2024-1132

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Published: Apr 17, 2024
Updated: May 4, 2025
CVE: CVE-2024-1132
GHSA: GHSA-72vp-xfrc-42xm
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	22.0.10
org.keycloak / keycloak-services	23.0.0	24.0.3
redhat / jboss_middleware_text-only_advisories	1.0	1.0.x
redhat / openshift_container_platform	4.12	4.12.x
redhat / openshift_container_platform	4.11	4.11.x
redhat / openshift_container_platform_for_power	4.10	4.10.x
redhat / keycloak	21.1.0	22.0.10
redhat / keycloak	23.0.0	24.0.3
redhat / single_sign-on	7.6	7.6.x
redhat / openshift_container_platform_for_power	4.9	4.9.x
redhat / openshift_container_platform_for_linuxone	4.10	4.10.x
redhat / openshift_container_platform_for_linuxone	4.9	4.9.x
redhat / openshift_container_platform_for_ibm_z	4.10	4.10.x
redhat / openshift_container_platform_for_ibm_z	4.9	4.9.x
redhat / migration_toolkit_for_applications	1.0	1.0.x

Vulnerability Database

CVE-2024-1132