๐Ÿ” CVE Alert

CVE-2024-8883

MEDIUM 6.1

Keycloak: vulnerable redirect uri validation results in open redirec

CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

CWE CWE-601
Published Sep 19, 2024
Last Updated Apr 1, 2026
Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

Red Hat / Red Hat Build of Keycloak
All versions affected
Red Hat / Red Hat Build of Keycloak
All versions affected
Red Hat / Red Hat build of Keycloak 22
All versions affected
Red Hat / Red Hat build of Keycloak 22
All versions affected
Red Hat / Red Hat build of Keycloak 22
All versions affected
Red Hat / Red Hat build of Keycloak 24
All versions affected
Red Hat / Red Hat build of Keycloak 24
All versions affected
Red Hat / Red Hat build of Keycloak 24
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected
Red Hat / Red Hat Single Sign-On 7
All versions affected
Red Hat / Red Hat Single Sign-On 7.6 for RHEL 7
All versions affected
Red Hat / Red Hat Single Sign-On 7.6 for RHEL 8
All versions affected
Red Hat / Red Hat Single Sign-On 7.6 for RHEL 9
All versions affected
Red Hat / RHEL-8 based Middleware Containers
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2024:10385 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:10386 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6878 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6879 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6880 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6882 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6886 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6887 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6888 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6889 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6890 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:8823 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:8824 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:8826 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-8883 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2312511 github.com: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java

Credits

Red Hat would like to thank Karsten Meyer zu Selhausen and Niklas Conrad for reporting this issue.