CPE-C7AB13E0-C36B-4D6D-9527-7E99EF87D73A Detail

CPE Details

Red Hat Build of Keycloak 24.0.6

Vendor

redhat

Product

build_of_keycloak

Version

24.0.6

Created

2024-10-03
17h25 +00:00

Modified

2024-10-03
17h25 +00:00

Official links

CPE NVD

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Notifications manage

List of Notifications

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

CPE ID

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CPE Name: cpe:2.3:a:redhat:build_of_keycloak:24.0.6:::::::*

Informations

Vendor

redhat

Product

build_of_keycloak

Version

24.0.6

Related CVE

Open and find in CVE List

CVE ID	Published	Description	Score	Severity
CVE-2024-7341	2024-09-09 18h51 +00:00	A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.	7.1	High
CVE-2024-7318	2024-09-09 18h50 +00:00	A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.	4.8	Medium
CVE-2024-7260	2024-09-09 18h49 +00:00	An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.	6.1	Medium

Red Hat Build of Keycloak 24.0.6

CPE Details

CPE Name: cpe:2.3:a:redhat:build_of_keycloak:24.0.6:*:*:*:*:*:*:*

Informations

Vendor

Product

Version

Related CVE

CPE Name: cpe:2.3:a:redhat:build_of_keycloak:24.0.6:::::::*