RHSA-2024:10386
Vulnerability from csaf_redhat
Published
2024-11-26 15:37
Modified
2025-05-02 17:29
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0 update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime.
This asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.0. JBoss Enterprise Application Platform 8.0 Update 4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z] (CVE-2024-8883)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.0. JBoss Enterprise Application Platform 8.0 Update 4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z] (CVE-2024-8883)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:10386", url: "https://access.redhat.com/errata/RHSA-2024:10386", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/8.0/", url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/8.0/", }, { category: "external", summary: "https://access.redhat.com/articles/7090605", url: "https://access.redhat.com/articles/7090605", }, { category: "external", summary: "2312511", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312511", }, { category: "external", summary: "JBEAP-28488", url: "https://issues.redhat.com/browse/JBEAP-28488", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10386.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0 update", tracking: { current_release_date: "2025-05-02T17:29:26+00:00", generator: { date: "2025-05-02T17:29:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.3", }, }, id: "RHSA-2024:10386", initial_release_date: "2024-11-26T15:37:37+00:00", revision_history: [ { date: "2024-11-26T15:37:37+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-26T15:37:37+00:00", number: "2", summary: "Last updated version", }, { date: "2025-05-02T17:29:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss EAP 8.0 for RHEL 9", product: { name: "Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", }, }, }, { category: "product_name", name: "Red Hat JBoss EAP 8.0 for RHEL 8", product: { name: "Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", product: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", product_id: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.4.1-1.GA_redhat_00001.1.el9eap?arch=src", }, }, }, { category: "product_version", name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", product: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", product_id: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly@8.0.4-3.GA_redhat_00007.1.el9eap?arch=src", }, }, }, { category: "product_version", name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", product: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", product_id: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.4.1-1.GA_redhat_00001.1.el8eap?arch=src", }, }, }, { category: "product_version", name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", product: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", product_id: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly@8.0.4-3.GA_redhat_00007.1.el8eap?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", product: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", product_id: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.4.1-1.GA_redhat_00001.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", product: { name: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", product_id: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-eap-product-conf-wildfly-ee-feature-pack@800.4.1-1.GA_redhat_00001.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_id: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly@8.0.4-3.GA_redhat_00007.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product: { name: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_id: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-java-jdk11@8.0.4-3.GA_redhat_00007.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product: { name: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_id: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-java-jdk17@8.0.4-3.GA_redhat_00007.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product: { name: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_id: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-java-jdk21@8.0.4-3.GA_redhat_00007.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product: { name: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_id: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-modules@8.0.4-3.GA_redhat_00007.1.el9eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", product: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", product_id: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.4.1-1.GA_redhat_00001.1.el8eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", product: { name: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", product_id: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-eap-product-conf-wildfly-ee-feature-pack@800.4.1-1.GA_redhat_00001.1.el8eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_id: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly@8.0.4-3.GA_redhat_00007.1.el8eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product: { name: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_id: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-java-jdk11@8.0.4-3.GA_redhat_00007.1.el8eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product: { name: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_id: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-java-jdk17@8.0.4-3.GA_redhat_00007.1.el8eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product: { name: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_id: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-java-jdk21@8.0.4-3.GA_redhat_00007.1.el8eap?arch=noarch", }, }, }, { category: "product_version", name: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product: { name: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_id: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap8-wildfly-modules@8.0.4-3.GA_redhat_00007.1.el8eap?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", }, product_reference: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", }, product_reference: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", }, product_reference: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", }, product_reference: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", }, product_reference: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", }, product_reference: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", }, product_reference: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", }, product_reference: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8", product_id: "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", }, product_reference: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", relates_to_product_reference: "8Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", }, product_reference: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", }, product_reference: "eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", }, product_reference: "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", }, product_reference: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", }, product_reference: "eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", }, product_reference: "eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", }, product_reference: "eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", }, product_reference: "eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, { category: "default_component_of", full_product_name: { name: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9", product_id: "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", }, product_reference: "eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", relates_to_product_reference: "9Base-JBEAP-8.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Niklas Conrad", "Karsten Meyer zu Selhausen", ], }, ], cve: "CVE-2024-8883", cwe: { id: "CWE-601", name: "URL Redirection to Untrusted Site ('Open Redirect')", }, discovery_date: "2024-09-16T06:17:01.573000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2312511", }, ], notes: [ { category: "description", text: "A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.", title: "Vulnerability description", }, { category: "summary", text: "Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec", title: "Vulnerability summary", }, { category: "other", text: "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform limits access to external systems and enforces strict network security boundaries through a deny-all, allow-exception system implementation. This ensures that access to external websites and systems is strictly controlled, monitored, and, if necessary, restricted. By enforcing policies on which external sites or domains users and applications can interact with, this control minimizes the risk of users being redirected to malicious websites. For example, organizations may implement allowlists of approved URLs or domains, blocking any redirections to untrusted or unauthorized sites. The platform's implementation of boundary protection includes firewalls, gateways, and intrusion detection/prevention systems. This control prevents unauthorized traffic, including malicious redirect requests, from entering or leaving the internal network. The boundary protection control can enforce URL filtering, domain allowlisting, and content inspection to block redirection attempts to known malicious domains. When configured properly, boundary protection mechanisms ensure that even if an open redirect vulnerability is exploited, the impact is limited by blocking access to harmful external sites.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8883", }, { category: "external", summary: "RHBZ#2312511", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312511", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8883", url: "https://www.cve.org/CVERecord?id=CVE-2024-8883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8883", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8883", }, { category: "external", summary: "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java", url: "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java", }, ], release_date: "2024-09-19T15:13:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-26T15:37:37+00:00", details: "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database\nsettings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10386", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el8eap.src", "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el8eap.src", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el8eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.4.1-1.GA_redhat_00001.1.el9eap.src", "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.4.1-1.GA_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.4-3.GA_redhat_00007.1.el9eap.src", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.4-3.GA_redhat_00007.1.el9eap.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.