NVD Vulnerability Detail

CVE-2024-8883

Summary	A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Publication Date	Sept. 20, 2024, 1:15 a.m.
Registration Date	Sept. 20, 2024, 5 a.m.
Last Update	Nov. 5, 2024, 1:15 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*
cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*
cpe:2.3:a:redhat:single_sign-on:7.6:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:::::::*
cpe:2.3:a:redhat:build_of_keycloak:-::::text-only:::

Related information, measures and tools

No	URL	タグ
1	https://access.redhat.com/security/cve/CVE-2024-8883	Vendor Advisory
2	https://bugzilla.redhat.com/show_bug.cgi?id=2312511	Issue Tracking Vendor Advisory
3	https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java	Product
4	https://access.redhat.com/errata/RHSA-2024:6878	Vendor Advisory
5	https://access.redhat.com/errata/RHSA-2024:6879	Vendor Advisory
6	https://access.redhat.com/errata/RHSA-2024:6880	Vendor Advisory
7	https://access.redhat.com/errata/RHSA-2024:6882	Vendor Advisory
8	https://access.redhat.com/errata/RHSA-2024:6886	Vendor Advisory
9	https://access.redhat.com/errata/RHSA-2024:6887	Vendor Advisory
10	https://access.redhat.com/errata/RHSA-2024:6888	Vendor Advisory
11	https://access.redhat.com/errata/RHSA-2024:6889	Vendor Advisory
12	https://access.redhat.com/errata/RHSA-2024:6890	Vendor Advisory
13	https://access.redhat.com/errata/RHSA-2024:8823
14	https://access.redhat.com/errata/RHSA-2024:8824
15	https://access.redhat.com/errata/RHSA-2024:8826

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-601	オープンリダイレクト	https://cwe.mitre.org/data/definitions/601.html

JVN Vulnerability Information

複数のレッドハット製品におけるオープンリダイレクトの脆弱性

Title	複数のレッドハット製品におけるオープンリダイレクトの脆弱性
Summary	build of keycloak、Red Hat OpenShift Container Platform、openshift container platform for ibm z 等複数のレッドハット製品には、オープンリダイレクトの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 19, 2024, midnight
Registration Date	Sept. 26, 2024, 11:10 a.m.
Last Update	May 16, 2025, 4:25 p.m.

Affected System

レッドハット

build of keycloak

openshift container platform for ibm z 4.10

openshift container platform for ibm z 4.9

openshift container platform for linuxone 4.10

openshift container platform for linuxone 4.9

openshift container platform for power 4.10

openshift container platform for power 4.9

Red Hat OpenShift Container Platform 4.11

Red Hat OpenShift Container Platform 4.12

Single Sign-On

Single Sign-On 7.6

日立

Hitachi Ops Center Common Services (海外版)

Hitachi Ops Center Common Services (国内版)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-8883	https://www.cve.org/CVERecord?id=CVE-2024-8883
National Vulnerability Database (NVD)
2	CVE-2024-8883	https://nvd.nist.gov/vuln/detail/CVE-2024-8883

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-601	https://cwe.mitre.org/data/definitions/601.html

ベンダー情報

No	Name	URL
Hitachi Software Vulnerability Information
1	hitachi-sec-2025-113	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-113/index.html
ソフトウェア製品セキュリティ情報
2	hitachi-sec-2025-113	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2025-113/index.html

その他

No	Name	URL
関連文書
1	access.redhat.com (CVE-2024-8883)	https://access.redhat.com/security/cve/CVE-2024-8883
2	access.redhat.com (RHSA-2024:6878)	https://access.redhat.com/errata/RHSA-2024:6878
3	access.redhat.com (RHSA-2024:6879)	https://access.redhat.com/errata/RHSA-2024:6879
4	access.redhat.com (RHSA-2024:6880)	https://access.redhat.com/errata/RHSA-2024:6880
5	access.redhat.com (RHSA-2024:6882)	https://access.redhat.com/errata/RHSA-2024:6882
6	access.redhat.com (RHSA-2024:6886)	https://access.redhat.com/errata/RHSA-2024:6886
7	access.redhat.com (RHSA-2024:6887)	https://access.redhat.com/errata/RHSA-2024:6887
8	access.redhat.com (RHSA-2024:6888)	https://access.redhat.com/errata/RHSA-2024:6888
9	access.redhat.com (RHSA-2024:6889)	https://access.redhat.com/errata/RHSA-2024:6889
10	access.redhat.com (RHSA-2024:6890)	https://access.redhat.com/errata/RHSA-2024:6890
11	bugzilla.redhat.com (2312511)	https://bugzilla.redhat.com/show_bug.cgi?id=2312511
12	github.com (RedirectUtils.java)	https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java

Change Log

No	Changed Details	Date of change
1	[2024年09月26日] 掲載	Sept. 26, 2024, 11:10 a.m.
2	[2025年05月16日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2025-113) を追加	May 16, 2025, 4:24 p.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*
cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*
cpe:2.3:a:redhat:single_sign-on:7.6:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:::::::*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:::::::*
cpe:2.3:a:redhat:build_of_keycloak:-::::text-only:::