Headline
GHSA-9vm7-v8wj-3fqw: keycloak-core: open redirect via "form_post.jwt" JARM response mode
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from “form_post” to “form_post.jwt” can bypass the security patch implemented to address CVE-2023-6134.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-9vm7-v8wj-3fqw
keycloak-core: open redirect via “form_post.jwt” JARM response mode
Moderate severity GitHub Reviewed Published Jan 22, 2024 in keycloak/keycloak
Package
maven org.keycloak:keycloak-core (Maven)
Affected versions
< 23.0.4
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from “form_post” to “form_post.jwt” can bypass the security patch implemented to address CVE-2023-6134.
References
- GHSA-9vm7-v8wj-3fqw
Published to the GitHub Advisory Database
Jan 23, 2024