Skip to content

keycloak-core: open redirect via "form_post.jwt" JARM response mode

Moderate severity GitHub Reviewed Published Jan 22, 2024 in keycloak/keycloak

Package

maven org.keycloak:keycloak-core (Maven)

Affected versions

< 23.0.4

Patched versions

23.0.4

Description

An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134.

References

@abstractj abstractj published to keycloak/keycloak Jan 22, 2024
Published to the GitHub Advisory Database Jan 23, 2024
Reviewed Jan 23, 2024

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-9vm7-v8wj-3fqw

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.