Vulnerability Description
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Single Sign-On | < 7.6 |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Keycloak | < 22.0.7 |
| Redhat | Openshift Container Platform | 4.11 |
| Redhat | Openshift Container Platform For Power | 4.9 |
| Redhat | Openshift Container Platform Ibm Z Systems | 4.9 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2023:7854Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7855Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7856Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7857ExploitVendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7858Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7860Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7861Vendor Advisory
- https://access.redhat.com/errata/RHSA-2024:0798
- https://access.redhat.com/errata/RHSA-2024:0799
- https://access.redhat.com/errata/RHSA-2024:0800
- https://access.redhat.com/errata/RHSA-2024:0801
- https://access.redhat.com/errata/RHSA-2024:0804
- https://access.redhat.com/security/cve/CVE-2023-6134Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2249673Issue Tracking
- https://access.redhat.com/errata/RHSA-2023:7854Vendor Advisory
FAQ
What is CVE-2023-6134?
CVE-2023-6134 is a vulnerability with a CVSS score of 4.6 (MEDIUM). A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted reque...
How severe is CVE-2023-6134?
CVE-2023-6134 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-6134?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Keycloak, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Power.