CVE-2024-1249 – org.keycloak:keycloak-services

Package

Manager: maven
Name: org.keycloak:keycloak-services
Vulnerable Version: >=0 <22.0.10 || >=23.0.0 <24.0.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00131 pctl0.33346

Details

Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. #### Acknowledgements Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.

Metadata

Created: 2024-04-17T18:24:38Z
Modified: 2024-06-24T17:05:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m6q9-p373-g5q8/GHSA-m6q9-p373-g5q8.json
CWE IDs: ["CWE-346"]
Alternative ID: GHSA-m6q9-p373-g5q8
Finding: F184
Auto approve: 1