CVE-2023-6134

Published: Dec 14, 2023

Modified: Feb 25, 2026

PUBLISHED

CVSS v3.1

4.6

MEDIUM

Description

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Vendor	Product	Versions
Red Hat	Red Hat build of Keycloak 22	unaffected `22.0.7-1 - < *`
Red Hat	Red Hat build of Keycloak 22	unaffected `22-6 - < *`
Red Hat	Red Hat build of Keycloak 22	unaffected `22-9 - < *`
Red Hat	Red Hat build of Keycloak 22.0.7	All versions
Red Hat	Red Hat Single Sign-On 7	All versions
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 7	unaffected `0:18.0.11-2.redhat_00003.1.el7sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 7	unaffected `0:18.0.12-1.redhat_00001.1.el7sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 8	unaffected `0:18.0.11-2.redhat_00003.1.el8sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 8	unaffected `0:18.0.12-1.redhat_00001.1.el8sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 9	unaffected `0:18.0.11-2.redhat_00003.1.el9sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 9	unaffected `0:18.0.12-1.redhat_00001.1.el9sso - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6-38 - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6.6-2 - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6-41 - < *`
Red Hat	Single Sign-On 7.6.6	All versions