You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.
mend-bolt-for-githubbot
changed the title
quarkus-keycloak-authorization-3.9.3.jar: 1 vulnerabilities (highest severity is: 7.1)
quarkus-keycloak-authorization-3.9.3.jar: 1 vulnerabilities (highest severity is: 7.1) - autoclosed
May 24, 2024
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - quarkus-keycloak-authorization-3.9.3.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: 7664dbb2a09fe36117ac9a7e072a10600a02d0c8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-2419
Vulnerable Library - keycloak-common-23.0.7.jar
Common library and dependencies shared with server and all adapters
Library home page: http://keycloak.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: 7664dbb2a09fe36117ac9a7e072a10600a02d0c8
Found in base branch: main
Vulnerability Details
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.
Publish Date: 2024-04-17
URL: CVE-2024-2419
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-2419
Release Date: 2024-04-17
Fix Resolution: org.keycloak:keycloak-services:22.0.10,24.0.3, org.keycloak:keycloak-common:22.0.10,24.0.3
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: