Veracode Vulnerability DatabaseVERACODE:46493Cross-Site Request Forgery (CSRF)
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
13.1%
org.keycloak, keycloak-services is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is due to inadequate validation of cross-origin messages in Keycloak’s OIDC component’s “checkLoginIframe,” allowing attackers to exploit Cross-Site Request Forgery (CSRF) attacks.
| CPE | Name | Operator | Version |
|---|---|---|---|
| keycloak rest services | le | 24.0.2 | |
| keycloak rest services | le | 24.0.2 |
References
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/errata/RHSA-2024:2945
access.redhat.com/errata/RHSA-2024:4057
access.redhat.com/security/cve/CVE-2024-1249
bugzilla.redhat.com/show_bug.cgi?id=2262918
github.com/keycloak/keycloak/commit/9d9817e15a07195f16f554b7f60ee3a918369e26
github.com/keycloak/keycloak/commit/e3598a53678a1e3698e78eb71e04ba10ca32e5e2
github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8
Related
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
13.1%