fkie_cve-2024-7260
Vulnerability from fkie_nvd
Published
2024-09-09 19:15
Modified
2024-10-01 14:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6502Issue Tracking
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6503Issue Tracking
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-7260Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2301875Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat build_of_keycloak *
redhat keycloak *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "802E2FCC-19AA-419E-8A1B-50E8F612A687",
                     versionEndExcluding: "24.0.7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "78B09F16-131D-4A15-9D00-A085F210E717",
                     versionEndExcluding: "24.0.7",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.\r\n\r\nOnce a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.",
      },
      {
         lang: "es",
         value: "Se encontró una vulnerabilidad de redirección abierta en Keycloak. Se puede construir una URL especialmente manipulada donde los parámetros referrer y referrer_uri se crean para engañar a un usuario para que visite una página web maliciosa. Una URL confiable puede engañar a los usuarios y a la automatización haciéndoles creer que la URL es segura, cuando, de hecho, redirecciona a un servidor malicioso. Este problema puede provocar que una víctima confíe inadvertidamente en el destino de la redirección, lo que puede llevar a un ataque de phishing exitoso u otros tipos de ataques. Una vez que se crea una URL manipulada, se puede enviar a un administrador de Keycloak por correo electrónico, por ejemplo. Esto activará esta vulnerabilidad cuando el usuario visite la página y haga clic en el enlace. Un actor malicioso puede usar esto para apuntar a usuarios que sabe que son administradores de Keycloak para futuros ataques. También puede ser posible eludir otros controles de seguridad relacionados con el dominio, como proporcionar esto como una URL de redireccionamiento de OAuth. El actor malicioso puede ofuscar aún más la redirect_uri mediante la codificación de URL, para ocultar el texto del dominio real del sitio web malicioso.",
      },
   ],
   id: "CVE-2024-7260",
   lastModified: "2024-10-01T14:15:06.553",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "secalert@redhat.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-09-09T19:15:14.033",
   references: [
      {
         source: "secalert@redhat.com",
         tags: [
            "Issue Tracking",
         ],
         url: "https://access.redhat.com/errata/RHSA-2024:6502",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Issue Tracking",
         ],
         url: "https://access.redhat.com/errata/RHSA-2024:6503",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://access.redhat.com/security/cve/CVE-2024-7260",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Issue Tracking",
            "Vendor Advisory",
         ],
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=2301875",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-601",
            },
         ],
         source: "secalert@redhat.com",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.