What is CVE-2023-6134?

CVE-2023-6134 is a medium-severity vulnerability in Red Hat Build Of Keycloak 22, classified under Cross-site Scripting. CVSS score: 4.6/10. Published 2023-12-14.

How severe is CVE-2023-6134?

Medium severity. CVSS v3 base score is 4.6 out of 10.

Is CVE-2023-6134 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Red Hat Build Of Keycloak 22

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.009 (55.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.6 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Affected products

Red Hat Build Of Keycloak 22 — versions 22.0.7-1, 22-6, 22-9
Red Hat Build Of Keycloak 22.0.7
Red Hat Single Sign-on 7
Red Hat Single Sign-on 7.6 For Rhel 7 — versions 0:18.0.11-2.redhat_00003.1.el7sso, 0:18.0.12-1.redhat_00001.1.el7sso
Red Hat Single Sign-on 7.6 For Rhel 8 — versions 0:18.0.11-2.redhat_00003.1.el8sso, 0:18.0.12-1.redhat_00001.1.el8sso
Red Hat Single Sign-on 7.6 For Rhel 9 — versions 0:18.0.11-2.redhat_00003.1.el9sso, 0:18.0.12-1.redhat_00001.1.el9sso
Red Hat Rhel-8 Based Middleware Containers — versions 7.6-38, 7.6.6-2, 7.6-41
Red Hat Single Sign-on 7.6.6
Redhat Enterprise_linux — versions 7.0, 8.0, 9.0
Redhat Keycloak

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

Public proof-of-concept exploits

leoambrus/artefactswithoutCVEonGitHubAdvisoryDatabase

References

secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, Exploit, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)

Frequently asked questions

What is CVE-2023-6134?: CVE-2023-6134 is a medium-severity vulnerability in Red Hat Build Of Keycloak 22, classified under Cross-site Scripting. CVSS score: 4.6/10. Published 2023-12-14.
How severe is CVE-2023-6134?: Medium severity. CVSS v3 base score is 4.6 out of 10.
Is CVE-2023-6134 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.