CVE-2018-14658: URL Redirection to Untrusted Site ('Open Redirect')

May 13, 2022 (updated July 21, 2023)

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

References

access.redhat.com/errata/RHSA-2018:3592
access.redhat.com/errata/RHSA-2018:3593
access.redhat.com/errata/RHSA-2018:3595
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658
github.com/advisories/GHSA-3qh2-mccc-q5m6
nvd.nist.gov/vuln/detail/CVE-2018-14658

Code Behaviors & Features

Detect and mitigate CVE-2018-14658 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →