7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-6291

GHSA ID

GHSA-mpwq-j3xf-7m5w

EPSS Score

0.42029%

CWE

CWE-20

Published

12/21/2023

Updated

1/26/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-6291

CVE-2023-6291: The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted

An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts.

The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "www%2ekeycloak%2eorg%2fapp%2f:y@example.com" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input.

Acknowledgements

Karel Knibbe

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-6291

GHSA ID

GHSA-mpwq-j3xf-7m5w

EPSS Score

0.42029%

CWE

CWE-20

Published

12/21/2023

Updated

1/26/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-services	maven	< 23.0.3	23.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete URI normalization in redirect validation. The commit b2e9110 explicitly fixes this by introducing stripOffRedirectForWildcard() to remove user-info, query, and fragment components before validation. The original matchesRedirects function (lines 256-257 in the patch) only handled query parameters, making it vulnerable to authority confusion via encoded user-info payloads like 'www%2ekeycloak%2eorg%2fapp%2f:y@example.com'. The function's failure to sanitize user-info before wildcard comparison directly enabled the validation bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *oun* in t** r**ir**t_uri v*li**tion lo*i* t**t *llows *or * *yp*ss o* ot**rwis* *xpli*itly *llow** *osts. T** pro*l*m *ris*s in t** v*ri*yR**ir**tUri m*t*o*, w*i** *tt*mpts to *n*or** rul*s on us*r-*ontroll**l* input, *ut *ss*nti*lly *

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* URI norm*liz*tion in r**ir**t v*li**tion. T** *ommit ******* *xpli*itly *ix*s t*is *y intro*u*in* `stripO**R**ir**t*orWil***r*()` to r*mov* us*r-in*o, qu*ry, *n* *r**m*nt *ompon*nts ***or* v*li**tion. T** ori*i

7.1

Basic Information

Concerned about an active attack path?

CVE-2023-6291: The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted

Acknowledgements

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI