{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46902?format=json","vulnerability_id":"VCID-xbkp-kjgd-fqcx","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nA flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.","aliases":[{"alias":"CVE-2023-6291"},{"alias":"GHSA-mpwq-j3xf-7m5w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68187?format=json","purl":"pkg:maven/org.keycloak/keycloak-core@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68625?format=json","purl":"pkg:maven/org.keycloak/keycloak-model-infinispan@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-model-infinispan@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68629?format=json","purl":"pkg:maven/org.keycloak/keycloak-model-jpa@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-model-jpa@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68623?format=json","purl":"pkg:maven/org.keycloak/keycloak-parent@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68626?format=json","purl":"pkg:maven/org.keycloak/keycloak-saml-core-public@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-saml-core-public@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68628?format=json","purl":"pkg:maven/org.keycloak/keycloak-server-spi-private@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-server-spi-private@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68192?format=json","purl":"pkg:maven/org.keycloak/keycloak-services@23.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kyy-pzzx-n7gr"},{"vulnerability":"VCID-2xvq-t8jp-zfbj"},{"vulnerability":"VCID-dt1x-6344-fkda"},{"vulnerability":"VCID-ghak-3963-juhk"},{"vulnerability":"VCID-kbc1-6psh-17d8"},{"vulnerability":"VCID-mt5g-24m9-tfbg"},{"vulnerability":"VCID-nw1y-zwsy-auff"},{"vulnerability":"VCID-uya7-2sk1-6uat"},{"vulnerability":"VCID-y5qk-qy59-23hn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68194?format=json","purl":"pkg:npm/keycloak-connect@23.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keycloak-connect@23.0.0"}],"affected_packages":[],"references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7854","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7854"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7855","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7855"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7856","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7856"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7857","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7857"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7858","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7858"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7860","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7860"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7861","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7861"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2251407","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2251407"},{"reference_url":"https://github.com/keycloak/keycloak/commit/b2e91105315ccf2c1df549b4f6c5948322cbfd1b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/keycloak/keycloak/commit/b2e91105315ccf2c1df549b4f6c5948322cbfd1b"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2023-6291","reference_id":"CVE-2023-6291","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/CVE-2023-6291"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6291","reference_id":"CVE-2023-6291","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6291"},{"reference_url":"https://github.com/advisories/GHSA-mpwq-j3xf-7m5w","reference_id":"GHSA-mpwq-j3xf-7m5w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mpwq-j3xf-7m5w"},{"reference_url":"https://github.com/keycloak/keycloak/security/advisories/GHSA-mpwq-j3xf-7m5w","reference_id":"GHSA-mpwq-j3xf-7m5w","reference_type":"","scores":[],"url":"https://github.com/keycloak/keycloak/security/advisories/GHSA-mpwq-j3xf-7m5w"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":601,"name":"URL Redirection to Untrusted Site ('Open Redirect')","description":"A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xbkp-kjgd-fqcx"}