CVE-2018-14658
keycloak: Open Redirect in Login and Logout
Severity Score
6.1
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack
Se ha descubierto un problema en JBOSS Keycloak 3.2.1.Final. La URL de redirección para el inicio y el cierre de sesión no se normalizan en org.keycloak.protocol.oidc.utils.RedirectUtils antes de que se verifique la URL de redirección. Esto puede conducir a un ataque de redirección abierta.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-07-27 CVE Reserved
- 2018-11-13 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (6)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:3592 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:3593 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:3595 | 2019-10-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658 | 2019-10-09 | |
| https://access.redhat.com/security/cve/CVE-2018-14658 | 2018-11-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1625409 | 2018-11-13 |