Untriaged
Keycloak: path transversal in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Affected products
keycloak
- <22.0.10
- <24.0.3
upstream
keycloak-core
rh-sso7-keycloak
- *
rhbk/keycloak-rhel9
- *
Red Hat AMQ Broker 7
mtr/mtr-rhel8-operator
- *
mtr/mtr-operator-bundle
- *
mta/mta-windup-addon-rhel9
- *
org.keycloak/keycloak-core
mtr/mtr-web-container-rhel8
- *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
- *
rhbk/keycloak-operator-bundle
- *
rh-sso-7/sso76-openshift-rhel8
- *
Red Hat build of Keycloak 22.0.10
mtr/mtr-web-executor-container-rhel8
- *
org.wildfly.security-wildfly-elytron-parent
Matching in nixpkgs
pkgs.keycloak
Identity and access management for modern applications and services
-
nixos-unstable -
- nixpkgs-unstable 26.3.4
pkgs.terraform-providers.keycloak
None
-
nixos-unstable -
- nixpkgs-unstable 5.4.0
pkgs.python312Packages.python-keycloak
Provides access to the Keycloak API
-
nixos-unstable -
- nixpkgs-unstable 4.0.0
pkgs.python313Packages.python-keycloak
Provides access to the Keycloak API
-
nixos-unstable -
- nixpkgs-unstable 4.0.0
Package maintainers
-
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@leona-ya Leona Maroni <nix@leona.is>