NVD Vulnerability Detail

CVE-2024-7260

Summary	An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
Publication Date	Sept. 10, 2024, 4:15 a.m.
Registration Date	Sept. 10, 2024, noon
Last Update	Oct. 1, 2024, 11:15 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:build_of_keycloak::::::::				24.0.7
cpe:2.3:a:redhat:keycloak::::::::				24.0.7

Related information, measures and tools

No	URL	タグ
1	https://access.redhat.com/errata/RHSA-2024:6502	Issue Tracking
2	https://access.redhat.com/errata/RHSA-2024:6503	Issue Tracking
3	https://access.redhat.com/security/cve/CVE-2024-7260	Vendor Advisory
4	https://bugzilla.redhat.com/show_bug.cgi?id=2301875	Issue Tracking Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-601	オープンリダイレクト	https://cwe.mitre.org/data/definitions/601.html

JVN Vulnerability Information

レッドハットの build of keycloak および Keycloak におけるオープンリダイレクトの脆弱性

Title	レッドハットの build of keycloak および Keycloak におけるオープンリダイレクトの脆弱性
Summary	レッドハットの build of keycloak および Keycloak には、オープンリダイレクトの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 9, 2024, midnight
Registration Date	Sept. 27, 2024, 10:59 a.m.
Last Update	Dec. 18, 2024, 11:25 a.m.

Affected System

レッドハット

build of keycloak 24.0.7 未満

Keycloak 24.0.7 未満

日立

Hitachi Ops Center Common Services (海外版)

Hitachi Ops Center Common Services (国内版)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-7260	https://www.cve.org/CVERecord?id=CVE-2024-7260
National Vulnerability Database (NVD)
2	CVE-2024-7260	https://nvd.nist.gov/vuln/detail/CVE-2024-7260

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-601	https://cwe.mitre.org/data/definitions/601.html

ベンダー情報

No	Name	URL
Hitachi Software Vulnerability Information
1	hitachi-sec-2024-152	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-152/index.html
ソフトウェア製品セキュリティ情報
2	hitachi-sec-2024-152	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2024-152/index.html

その他

No	Name	URL
関連文書
1	access.redhat.com (CVE-2024-7260)	https://access.redhat.com/security/cve/CVE-2024-7260
2	access.redhat.com (RHSA-2024:6502)	https://access.redhat.com/errata/RHSA-2024:6502
3	access.redhat.com (RHSA-2024:6503)	https://access.redhat.com/errata/RHSA-2024:6503
4	bugzilla.redhat.com (2301875)	https://bugzilla.redhat.com/show_bug.cgi?id=2301875

Change Log

No	Changed Details	Date of change
1	[2024年09月27日] 掲載	Sept. 27, 2024, 10:59 a.m.
2	[2024年12月18日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2024-152) を追加	Dec. 18, 2024, 11:25 a.m.