VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-7t4n-1rts-g7cx

Essentials
Severities (47)
References (23)
Severity details (30)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-7t4n-1rts-g7cx
Aliases	CVE-2023-6134 GHSA-cvg2-7c3j-g36j
Summary	Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

System	Score	Found at
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7854
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7854
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7855
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7855
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7856
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7856
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7857
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7857
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7858
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7858
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7860
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7860
cvssv3.1	4.6	https://access.redhat.com/errata/RHSA-2023:7861
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2023:7861
cvssv3	4.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6134.json
cvssv3.1	4.6	https://access.redhat.com/security/cve/CVE-2023-6134
generic_textual	MODERATE	https://access.redhat.com/security/cve/CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01411	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
epss	0.01836	https://api.first.org/data/v1/epss?cve=CVE-2023-6134
cvssv3.1	4.6	https://bugzilla.redhat.com/show_bug.cgi?id=2249673
generic_textual	MODERATE	https://bugzilla.redhat.com/show_bug.cgi?id=2249673
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-cvg2-7c3j-g36j
cvssv3.1	4.6	https://github.com/keycloak/keycloak
generic_textual	MODERATE	https://github.com/keycloak/keycloak
cvssv3.1	4.6	https://github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd20
generic_textual	MODERATE	https://github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd20
cvssv3.1	4.6	https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j
cvssv3.1_qr	MODERATE	https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j
generic_textual	MODERATE	https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j
cvssv3.1	4.6	https://nvd.nist.gov/vuln/detail/CVE-2023-6134
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2023-6134
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-6134

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2023:7854
		https://access.redhat.com/errata/RHSA-2023:7855
		https://access.redhat.com/errata/RHSA-2023:7856
		https://access.redhat.com/errata/RHSA-2023:7857
		https://access.redhat.com/errata/RHSA-2023:7858
		https://access.redhat.com/errata/RHSA-2023:7860
		https://access.redhat.com/errata/RHSA-2023:7861
		https://access.redhat.com/errata/RHSA-2024:0798
		https://access.redhat.com/errata/RHSA-2024:0799
		https://access.redhat.com/errata/RHSA-2024:0800
		https://access.redhat.com/errata/RHSA-2024:0801
		https://access.redhat.com/errata/RHSA-2024:0804
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6134.json
		https://access.redhat.com/security/cve/CVE-2023-6134
		https://api.first.org/data/v1/epss?cve=CVE-2023-6134
		https://bugzilla.redhat.com/show_bug.cgi?id=2249673
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd20
		https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j
		https://nvd.nist.gov/vuln/detail/CVE-2023-6134
cpe:2.3:a:redhat:keycloak::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak::::::::
cpe:2.3:a:redhat:single_sign-on:-::::text-only:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
GHSA-cvg2-7c3j-g36j		https://github.com/advisories/GHSA-cvg2-7c3j-g36j

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7854

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7855

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7856

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7857

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7858

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7860

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2023:7861

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6134.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2023-6134

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2249673

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd20

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-6134

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-6134

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.79698
EPSS Score	0.01411
Published At	Aug. 10, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:42:34.493148+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-cvg2-7c3j-g36j/GHSA-cvg2-7c3j-g36j.json	37.0.0