A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.keycloak:keycloak-services(Maven) | 0 | 22.0.10 | N/A |
| org.keycloak:keycloak-services(Maven) | 23.0.0 | 24.0.3 | N/A |
CVSS Metrics
