Cyber Resilience

CVE-2024-8883

Medium

Published: 19 September 2024

Published
19 September 2024
Modified
26 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0659 91.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8883 is a medium-severity Open Redirect (CWE-601) vulnerability in Redhat Openshift Container Platform. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A misconfiguration vulnerability in Keycloak allows an attacker to redirect users to an arbitrary URL when a Valid Redirect URI is configured as http://localhost or http://127.0.0.1. The flaw, tracked as CVE-2024-8883 and assigned CWE-601, carries a CVSS 3.1 score of 6.1 and can expose sensitive values such as authorization codes.

An unauthenticated remote attacker can trigger the open redirect during an OAuth or OIDC flow that involves user interaction, enabling capture of authorization codes and subsequent session hijacking. Exploitation requires the target realm to have the permissive localhost redirect URI setting and does not need authentication or special privileges.

Red Hat has published multiple errata (RHSA-2024:10385, RHSA-2024:10386, RHSA-2024:6878, RHSA-2024:6879, RHSA-2024:6880) that address the issue in affected Keycloak packages; administrators should apply the relevant updates and review redirect URI configurations to restrict them to trusted domains. The associated EPSS score has remained flat at 0.0659 with no material increase since disclosure.

EU & UK References

Vulnerability details

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be…

more

exposed to the attacker, potentially leading to session hijacking.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
build of keycloak
all versions
redhat
openshift container platform
4.11, 4.12
redhat
openshift container platform for ibm z
4.10, 4.9
redhat
openshift container platform for linuxone
4.10, 4.9
redhat
openshift container platform for power
4.10, 4.9
redhat
single sign-on
7.6, all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References