Lucene search

GitHub Advisory DatabaseGHSA-M6Q9-P373-G5Q8

HistoryApr 17, 2024 - 6:24 p.m.

Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

2024-04-1718:24:38

CWE-346

GitHub Advisory Database

github.com

keycloak

ddos

cross-origin messages

vulnerability

checkloginiframe

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

A potential security flaw in the “checkLoginIframe” which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application’s availability without proper origin validation for incoming messages.

Acknowledgements

Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.

Affected configurations

Vulners

Node

org.keycloak\keycloakMatchservices

CPENameOperatorVersion
org.keycloak:keycloak-servicesge23.0.0
org.keycloak:keycloak-serviceslt24.0.3
org.keycloak:keycloak-serviceslt22.0.10

Name	Operator	Version
org.keycloak:keycloak-services	ge	23.0.0
org.keycloak:keycloak-services	lt	24.0.3
org.keycloak:keycloak-services	lt	22.0.10

References

access.redhat.com/errata/RHSA-2024:1860

access.redhat.com/errata/RHSA-2024:1861

access.redhat.com/errata/RHSA-2024:1862

access.redhat.com/errata/RHSA-2024:1864

access.redhat.com/errata/RHSA-2024:1866

access.redhat.com/errata/RHSA-2024:1867

access.redhat.com/errata/RHSA-2024:1868

access.redhat.com/errata/RHSA-2024:2945

access.redhat.com/errata/RHSA-2024:4057

access.redhat.com/security/cve/CVE-2024-1249

bugzilla.redhat.com/show_bug.cgi?id=2262918

github.com/advisories/GHSA-m6q9-p373-g5q8

github.com/keycloak/keycloak/commit/9d9817e15a07195f16f554b7f60ee3a918369e26

github.com/keycloak/keycloak/commit/e3598a53678a1e3698e78eb71e04ba10ca32e5e2

github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8

nvd.nist.gov/vuln/detail/CVE-2024-1249

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

Related for GHSA-M6Q9-P373-G5Q8