Metrics
Affected Vendors & Products
Tue, 01 Oct 2024 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
cvssV3_1
|
Thu, 26 Sep 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat build Of Keycloak
Redhat keycloak |
|
CPEs | cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* |
|
Vendors & Products |
Redhat build Of Keycloak
Redhat keycloak |
Wed, 18 Sep 2024 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:build_keycloak:24 |
Mon, 09 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 09 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 09 Sep 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. | |
Title | Keycloak-core: open redirect on account page | |
First Time appeared |
Redhat
Redhat build Keycloak |
|
Weaknesses | CWE-601 | |
CPEs | cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:24::el9 |
|
Vendors & Products |
Redhat
Redhat build Keycloak |
|
References |
| |
Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: redhat
Published: 2024-09-09T18:49:59.437Z
Updated: 2024-11-24T18:42:30.535Z
Reserved: 2024-07-30T02:24:02.197Z
Link: CVE-2024-7260
Updated: 2024-09-09T19:13:37.589Z
Status : Modified
Published: 2024-09-09T19:15:14.033
Modified: 2024-10-01T14:15:06.553
Link: CVE-2024-7260