CVE-2023-6291 – This vulnerability in Keycloak's redirect

Q: What is the severity of CVE-2023-6291?

CVE-2023-6291 has a CVSS score of 7.1 (HIGH). This vulnerability in Keycloak's redirect_uri validation logic allows attackers to bypass host restrictions and steal access tokens. Attackers can then impersonate legitimate users. All Keycloak deployments using affected versions are vulnerable.

📋 TL;DR

This vulnerability in Keycloak's redirect_uri validation logic allows attackers to bypass host restrictions and steal access tokens. Attackers can then impersonate legitimate users. All Keycloak deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

Keycloak

Versions: All versions before 22.0.5, 21.1.6, 20.0.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Keycloak deployments with redirect_uri validation enabled (default configuration).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover and privilege escalation across all integrated applications using stolen access tokens.

🟠

Likely Case

Targeted account compromise leading to unauthorized access to sensitive data in connected applications.

🟢

If Mitigated

Limited impact if strong additional authentication factors and token validation are implemented.

🌐 Internet-Facing: HIGH - Keycloak is typically internet-facing for authentication services, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal deployments still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to craft malicious redirect_uri and trick user into authentication flow. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Keycloak 22.0.5, 21.1.6, 20.0.7 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:7854

Restart Required: Yes

Instructions:

1. Backup your Keycloak configuration and database. 2. Download patched version from official Keycloak website. 3. Stop Keycloak service. 4. Replace with patched version. 5. Restart Keycloak service. 6. Verify functionality.

🔧 Temporary Workarounds

Temporary redirect_uri restriction

all

Tighten redirect_uri validation rules to only allow specific, trusted domains

Update Keycloak realm settings to restrict valid redirect URIs to exact matches only

🧯 If You Can't Patch

Implement network segmentation to isolate Keycloak from untrusted networks
Enable additional authentication factors (MFA) for all users to reduce impact of token theft

🔍 How to Verify

Check if Vulnerable:

Check Keycloak version via admin console or by examining server logs for version information

Check Version:

Check Keycloak server startup logs or use: java -jar keycloak.jar --version

Verify Fix Applied:

Verify version is 22.0.5, 21.1.6, 20.0.7 or later and test redirect_uri validation with known malicious patterns

📡 Detection & Monitoring

Log Indicators:

Unusual redirect_uri patterns in authentication logs
Multiple failed authentication attempts with varying redirect parameters

Network Indicators:

Unexpected redirects to non-whitelisted domains during OAuth flows

SIEM Query:

source="keycloak" AND (event="AUTHENTICATION" OR event="OAUTH") AND redirect_uri NOT IN ["allowed_domains_list"]

📊 Metadata

CVE ID: CVE-2023-6291

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-601

Published: January 26, 2024

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2023:7854 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7855 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7856 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7857 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7858 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7860 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7861 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:0798
https://access.redhat.com/errata/RHSA-2024:0799
https://access.redhat.com/errata/RHSA-2024:0800
https://access.redhat.com/errata/RHSA-2024:0801
https://access.redhat.com/errata/RHSA-2024:0804
https://access.redhat.com/security/cve/CVE-2023-6291 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2251407 Issue Tracking,Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7854 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7855 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7856 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7857 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7858 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7860 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7861 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:0798
https://access.redhat.com/errata/RHSA-2024:0799
https://access.redhat.com/errata/RHSA-2024:0800
https://access.redhat.com/errata/RHSA-2024:0801
https://access.redhat.com/errata/RHSA-2024:0804
https://access.redhat.com/security/cve/CVE-2023-6291 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2251407 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6291, you might also want to check these: