CVE-2023-6291

Published: Jan 26, 2024

Modified: Nov 11, 2025

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Vendor	Product	Versions
Red Hat	Red Hat build of Keycloak 22	unaffected `22.0.7-1 - < *`
Red Hat	Red Hat build of Keycloak 22	unaffected `22-6 - < *`
Red Hat	Red Hat build of Keycloak 22	unaffected `22-9 - < *`
Red Hat	Red Hat build of Keycloak 22.0.7	All versions
Red Hat	Red Hat Single Sign-On 7	All versions
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 7	unaffected `0:18.0.11-2.redhat_00003.1.el7sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 7	unaffected `0:18.0.12-1.redhat_00001.1.el7sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 8	unaffected `0:18.0.11-2.redhat_00003.1.el8sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 8	unaffected `0:18.0.12-1.redhat_00001.1.el8sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 9	unaffected `0:18.0.11-2.redhat_00003.1.el9sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 9	unaffected `0:18.0.12-1.redhat_00001.1.el9sso - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6-38 - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6.6-2 - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6-41 - < *`
Red Hat	Single Sign-On 7.6.6	All versions
Red Hat	Migration Toolkit for Applications 6	All versions
Red Hat	Migration Toolkit for Applications 7	All versions
Red Hat	OpenShift Serverless	All versions
Red Hat	Red Hat Data Grid 8	All versions
Red Hat	Red Hat Decision Manager 7	All versions
Red Hat	Red Hat Fuse 7	All versions
Red Hat	Red Hat JBoss Data Grid 7	All versions
Red Hat	Red Hat JBoss Enterprise Application Platform 6	All versions
Red Hat	Red Hat Process Automation 7	All versions