logo

Database

Lack of data validation In org.keycloak:keycloak-services

Description

Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

Acknowledgements

Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-12492. NVD-2024-12493. OSV-2024-12494. GHSA-m6q9-p373-g5q85. GCVE-2024-12496. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. ACCESS-CVE-2024-1249

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q82. https://github.com/keycloak/keycloak/commit/9d9817e15a07195f16f554b7f60ee3a918369e263. https://github.com/keycloak/keycloak/commit/e3598a53678a1e3698e78eb71e04ba10ca32e5e24. https://bugzilla.redhat.com/show_bug.cgi?id=2262918

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.