4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-7260

GHSA ID

GHSA-g4gc-rh26-m3p5

EPSS Score

0.36449%

CWE

CWE-601

Published

9/9/2024

Updated

9/9/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-7260

CVE-2024-7260:
Keycloak Open Redirect vulnerability

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.

Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

(GitHub Advisory)

4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-7260

GHSA ID

GHSA-g4gc-rh26-m3p5

EPSS Score

0.36449%

CWE

CWE-601

Published

9/9/2024

Updated

9/9/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-core	maven	< 24.0.7	24.0.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper handling of 'referrer' and 'referrer_uri' parameters in Keycloak's account page. The affected package (keycloak-core) and CWE-601 suggest a missing validation step in redirect logic. Keycloak's account management endpoints (e.g., /account) are prime candidates for this flaw. The AccountFormService class is a logical component responsible for processing account-related requests and redirects. While the exact patched code isn't available, the described attack vector aligns with functions that handle user-supplied redirect parameters without proper domain checks. Confidence is medium due to reliance on structural inference rather than explicit patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n op*n r**ir**t vuln*r**ility w*s *oun* in K*y*lo*k. * sp**i*lly *r**t** URL **n ** *onstru*t** w**r* t** `r***rr*r` *n* `r***rr*r_uri` p*r*m*t*rs *r* m*** to tri*k * us*r to visit * m*li*ious w**p***. * trust** URL **n tri*k us*rs *n* *utom*tion in

Reasoning

T** vuln*r**ility **nt*rs on improp*r **n*lin* o* 'r***rr*r' *n* 'r***rr*r_uri' p*r*m*t*rs in K*y*lo*k's ***ount p***. T** *****t** p**k*** (k*y*lo*k-*or*) *n* *W*-*** su***st * missin* `v*li**tion` st*p in r**ir**t lo*i*. K*y*lo*k's ***ount m*n***m*

4.4

Basic Information

Concerned about an active attack path?

CVE-2024-7260: Keycloak Open Redirect vulnerability

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-7260:
Keycloak Open Redirect vulnerability

Vulnerability Intelligence
Miggo AI