Duplicate Advisory: Keycloak Open Redirect vulnerability
        
  High severity
        
          GitHub Reviewed
      
        Published
          Sep 19, 2024 
          to the GitHub Advisory Database
          •
          Updated Dec 20, 2024 
      
  
  
      Withdrawn
      This advisory was withdrawn on Dec 20, 2024
  
    
      Description
        Published by the National Vulnerability Database
      Sep 19, 2024 
    
  
        Published to the GitHub Advisory Database
      Sep 19, 2024 
    
  
        Reviewed
      Sep 19, 2024 
    
  
        Withdrawn
      Dec 20, 2024 
    
  
        Last updated
      Dec 20, 2024 
    
  
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references.
Original Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
References