CVE-2024-1132

Keycloak: path transversal in redirection validation

Description

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Remediation

Workaround:

No current mitigation is available for this vulnerability.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2024:1860	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1861	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1862	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1864	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1866	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1867	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1868	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2945	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3752	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3762	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3919	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3989	vendor advisory
https://access.redhat.com/security/cve/CVE-2024-1132	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2262117	issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-1132?: CVE-2024-1132 has been scored as a high severity vulnerability.
How to fix CVE-2024-1132?: As a workaround for remediating CVE-2024-1132: No current mitigation is available for this vulnerability.
Is CVE-2024-1132 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-1132 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-1132?: CVE-2024-1132 affects Red Hat Migration Toolkit for Runtimes 1 on RHEL 8, Red Hat Migration Toolkit for Runtimes 1 on RHEL 8, Red Hat Migration Toolkit for Runtimes 1 on RHEL 8, Red Hat Migration Toolkit for Runtimes 1 on RHEL 8, Red Hat MTA-6.2-RHEL-9, Red Hat Red Hat AMQ Broker 7, Red Hat Red Hat AMQ Broker 7, Red Hat Red Hat AMQ Broker 7, Red Hat Red Hat build of Keycloak 22, Red Hat Red Hat build of Keycloak 22, Red Hat Red Hat build of Keycloak 22, Red Hat Red Hat build of Keycloak 22.0.10, Red Hat Red Hat Single Sign-On 7.6 for RHEL 7, Red Hat Red Hat Single Sign-On 7.6 for RHEL 8, Red Hat Red Hat Single Sign-On 7.6 for RHEL 9, Red Hat RHEL-8 based Middleware Containers, Red Hat RHSSO 7.6.8, Red Hat Red Hat build of Apicurio Registry 2, Red Hat Red Hat build of Quarkus, Red Hat Red Hat Data Grid 8, Red Hat Red Hat Decision Manager 7, Red Hat Red Hat Fuse 7, Red Hat Red Hat JBoss Data Grid 7, Red Hat Red Hat JBoss Enterprise Application Platform 6, Red Hat Red Hat JBoss Enterprise Application Platform 7, Red Hat Red Hat Process Automation 7.

Description

Remediation

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions