{
  "threat_severity" : "Important",
  "public_date" : "2024-04-16T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: path traversal in the redirect validation",
    "id" : "2269371",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2269371"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-601",
  "details" : [ "A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.", "A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291." ],
  "statement" : "Note that this affects only Keycloak and Red Hat build of Keycloak, which uses Quarkus in under layers. Red Hat Single Sign-On is not affected since the parsing that comes from Wildfly is done correctly.",
  "acknowledgement" : "Red Hat would like to thank Taha Marzak for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1867",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-operator-bundle:22.0.10-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1867",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-rhel9:22-13"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1867",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-rhel9-operator:22-16"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-2419\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2419" ],
  "name" : "CVE-2024-2419",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}