CVE-2024-8883
Published: 19 September 2024
Summary
CVE-2024-8883 is a medium-severity Open Redirect (CWE-601) vulnerability in Redhat Openshift Container Platform. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A misconfiguration vulnerability in Keycloak allows an attacker to redirect users to an arbitrary URL when a Valid Redirect URI is configured as http://localhost or http://127.0.0.1. The flaw, tracked as CVE-2024-8883 and assigned CWE-601, carries a CVSS 3.1 score of 6.1 and can expose sensitive values such as authorization codes.
An unauthenticated remote attacker can trigger the open redirect during an OAuth or OIDC flow that involves user interaction, enabling capture of authorization codes and subsequent session hijacking. Exploitation requires the target realm to have the permissive localhost redirect URI setting and does not need authentication or special privileges.
Red Hat has published multiple errata (RHSA-2024:10385, RHSA-2024:10386, RHSA-2024:6878, RHSA-2024:6879, RHSA-2024:6880) that address the issue in affected Keycloak packages; administrators should apply the relevant updates and review redirect URI configurations to restrict them to trusted domains. The associated EPSS score has remained flat at 0.0659 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3152
Vulnerability details
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be…
more
exposed to the attacker, potentially leading to session hijacking.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.