CVE-2024-2419
📋 TL;DR
CVE-2024-2419 is a redirect_uri validation bypass vulnerability in Keycloak that allows attackers to steal access tokens by circumventing host validation. This enables impersonation of legitimate users in affected Keycloak deployments. All Keycloak instances using redirect_uri validation are potentially affected.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover and privilege escalation across all integrated applications using Keycloak for authentication.
Likely Case
Theft of access tokens leading to unauthorized access to user accounts and sensitive data in connected applications.
If Mitigated
Limited impact with proper network segmentation and additional authentication layers, though token theft remains possible.
🎯 Exploit Status
Similar to CVE-2023-6291, making exploitation techniques well-understood. Attack requires user interaction via phishing or malicious redirects.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Keycloak 24.0.4, 23.0.9, or 22.0.14
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-2419
Restart Required: Yes
Instructions:
1. Backup your Keycloak configuration and database. 2. Download patched version from Keycloak website. 3. Stop Keycloak service. 4. Replace installation with patched version. 5. Restart Keycloak service. 6. Verify functionality.
🔧 Temporary Workarounds
Strict Redirect URI Validation
allImplement additional validation logic for redirect_uri parameters at application level
Network Segmentation
linuxRestrict Keycloak access to trusted networks only
iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block suspicious redirect patterns
- Enable additional authentication factors (MFA) for all users
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version via admin console or by examining the server startup logs for version information.Check Version:
curl -s http://localhost:8080/auth/realms/master/.well-known/openid-configuration | grep -o '"version":"[^"]*"'Verify Fix Applied:
Verify version is 24.0.4, 23.0.9, or 22.0.14 or higher. Test redirect_uri validation with known bypass patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in Keycloak logs
- Multiple failed redirect_uri validations from single IP
- Successful authentication with unexpected redirect hosts
Network Indicators:
- HTTP 302 redirects to unexpected domains
- OAuth authorization requests with manipulated redirect_uri parameters
SIEM Query:
source="keycloak" AND ("redirect_uri" OR "Invalid redirect_uri") AND status=302🔗 References
- https://access.redhat.com/errata/RHSA-2024:1867
- https://access.redhat.com/security/cve/CVE-2024-2419
- https://bugzilla.redhat.com/show_bug.cgi?id=2269371
- https://access.redhat.com/errata/RHSA-2024:1867
- https://access.redhat.com/security/cve/CVE-2024-2419
- https://bugzilla.redhat.com/show_bug.cgi?id=2269371
