GHSA-pcx7-8hxg-j823 – org.keycloak:keycloak-quarkus-server

Package

Manager: maven
Name: org.keycloak:keycloak-quarkus-server
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgwc-jh89-rpgq. This link is maintained to preserve external references. ## Original Description A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Metadata

Created: 2024-11-25T09:30:59Z
Modified: 2024-11-25T19:35:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-pcx7-8hxg-j823/GHSA-pcx7-8hxg-j823.json
CWE IDs: ["CWE-444"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0