CVE-2024-8883: URL Redirection to Untrusted Site ('Open Redirect')
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
AI Analysis
Technical Summary
This vulnerability arises from improper validation of redirect URIs in Keycloak, specifically when 'Valid Redirect URI' includes localhost addresses (http://localhost or http://127.0.0.1). An attacker can leverage this to redirect users to arbitrary URLs, exposing sensitive authorization codes and potentially leading to session hijacking. The CVSS 3.1 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and partial confidentiality and integrity impact. Red Hat has issued official security advisories (RHSA-2024:10385 and RHSA-2024:10386) providing patches in JBoss Enterprise Application Platform 8.0 updates that fix the vulnerable redirect URI validation.
Potential Impact
Exploitation of this vulnerability can lead to exposure of sensitive authorization codes through open redirect attacks, which may result in session hijacking. The impact is limited to confidentiality and integrity, with no availability impact reported. The vulnerability requires user interaction and can be exploited remotely without privileges.
Mitigation Recommendations
Red Hat has released official security updates for JBoss Enterprise Application Platform 8.0 that fix this vulnerability. Users should apply these updates (e.g., JBoss Enterprise Application Platform 8.0 Update 4.1) after ensuring all prior relevant errata are applied and backing up their systems. Detailed update instructions are available in Red Hat advisories and documentation. Applying these patches mitigates the vulnerability by correcting the redirect URI validation logic.
CVE-2024-8883: URL Redirection to Untrusted Site ('Open Redirect')
Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from improper validation of redirect URIs in Keycloak, specifically when 'Valid Redirect URI' includes localhost addresses (http://localhost or http://127.0.0.1). An attacker can leverage this to redirect users to arbitrary URLs, exposing sensitive authorization codes and potentially leading to session hijacking. The CVSS 3.1 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and partial confidentiality and integrity impact. Red Hat has issued official security advisories (RHSA-2024:10385 and RHSA-2024:10386) providing patches in JBoss Enterprise Application Platform 8.0 updates that fix the vulnerable redirect URI validation.
Potential Impact
Exploitation of this vulnerability can lead to exposure of sensitive authorization codes through open redirect attacks, which may result in session hijacking. The impact is limited to confidentiality and integrity, with no availability impact reported. The vulnerability requires user interaction and can be exploited remotely without privileges.
Mitigation Recommendations
Red Hat has released official security updates for JBoss Enterprise Application Platform 8.0 that fix this vulnerability. Users should apply these updates (e.g., JBoss Enterprise Application Platform 8.0 Update 4.1) after ensuring all prior relevant errata are applied and backing up their systems. Detailed update instructions are available in Red Hat advisories and documentation. Applying these patches mitigates the vulnerability by correcting the redirect URI validation logic.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2024-09-16T06:45:30.550Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbebe5b
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 4/4/2026, 10:43:35 AM
Last updated: 5/9/2026, 6:22:11 PM
Views: 106
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.