CVE-2018-14658

MEDIUM

JBOSS Keycloak 3.2.1.Final - Open Redirect

Title source: llm
STIX 2.1

Description

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

References (4)

Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3592
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3593
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3595

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 47.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-601
Status published
Products (2)
org.keycloak/keycloak-core 0Maven
redhat/keycloak 3.2.1
Published Nov 13, 2018
Tracked Since Feb 18, 2026