CVE-2018-14658: URL Redirection to Untrusted Site (Open Redirect)

November 13, 2018 (updated October 9, 2019)

The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack.

References

access.redhat.com/errata/RHSA-2018:3592
access.redhat.com/errata/RHSA-2018:3593
access.redhat.com/errata/RHSA-2018:3595
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658
nvd.nist.gov/vuln/detail/CVE-2018-14658

Code Behaviors & Features

Detect and mitigate CVE-2018-14658 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →