CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:7854	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7855	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7856	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7857	Exploit Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7858	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7860	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7861	Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:0798
https://access.redhat.com/errata/RHSA-2024:0799
https://access.redhat.com/errata/RHSA-2024:0800
https://access.redhat.com/errata/RHSA-2024:0801
https://access.redhat.com/errata/RHSA-2024:0804
https://access.redhat.com/security/cve/CVE-2023-6134	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2249673	Issue Tracking

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

OR	cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*

Configuration 4 (hide)

AND

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

OR	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*

Configuration 5 (hide)

AND

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

OR	cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:::::::*

Configuration 6 (hide)

cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

History

No history.

Information

Published : 2023-12-14 22:15

Updated : 2024-02-14 03:15

NVD link : CVE-2023-6134

Mitre link : CVE-2023-6134

CVE.ORG link : CVE-2023-6134

JSON object : View

Products Affected

redhat

openshift_container_platform_ibm_z_systems
single_sign-on
enterprise_linux
openshift_container_platform
openshift_container_platform_for_power
keycloak

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

JSON object

Attach tags to CVE-2023-6134

5.4^/10

Attach tags to `CVE-2023-6134`