[MAVEN:GHSA-5968-QW33-H47J] Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri

Severity Moderate

Affected Packages 1

Fixed Packages 1

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cvg2-7c3j-g36j. This link is maintained to preserve external references.

Original Description

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Package	Affected Version
pkg:maven/org.keycloak/keycloak-services	< 23.0.3

Package	Fixed Version
pkg:maven/org.keycloak/keycloak-services	= 23.0.3

ID: MAVEN:GHSA-5968-QW33-H47J
Severity: moderate
URL: https://github.com/advisories/GHSA-5968-qw33-h47j
Published: 2023-12-15T00:31:03
(9 months ago)
Modified: 2023-12-18T19:30:56
(9 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-6134
			https://access.redhat.com/errata/RHSA-2023:7854
			https://access.redhat.com/errata/RHSA-2023:7855
			https://access.redhat.com/errata/RHSA-2023:7856
			https://access.redhat.com/errata/RHSA-2023:7857
			https://access.redhat.com/errata/RHSA-2023:7858
			https://access.redhat.com/errata/RHSA-2023:7860
			https://access.redhat.com/errata/RHSA-2023:7861
			https://access.redhat.com/security/cve/CVE-2023-6134
			https://bugzilla.redhat.com/show_bug.cgi?id=2249673
			https://github.com/advisories/GHSA-5968-qw33-h47j

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	< 23.0.3
Fixed	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	= 23.0.3