Lucene search
RedhatVULNRICHMENT:CVE-2024-1249HistoryApr 17, 2024 - 1:22 p.m.
CVE-2024-1249 Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
2024-04-1713:22:48
CWE-346
redhat
github.com
cve-2024-1249
keycloak
oidc
cross-origin messages
ddos
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
13.1%
A flaw was found in Keycloak’s OIDC component in the “checkLoginIframe,” which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application’s availability without proper origin validation for incoming messages.
CNA Affected
[
{
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
],
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"versions": [
{
"status": "unaffected",
"version": "22.0.10-1",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhbk/keycloak-operator-bundle",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
],
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"versions": [
{
"status": "unaffected",
"version": "22-13",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhbk/keycloak-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
],
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"versions": [
{
"status": "unaffected",
"version": "22-16",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhbk/keycloak-rhel9-operator",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:build_keycloak:22"
],
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22.0.10",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7.12"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss A-MQ 7",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
],
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 7",
"versions": [
{
"status": "unaffected",
"version": "0:18.0.13-1.redhat_00001.1.el7sso",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rh-sso7-keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
],
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 8",
"versions": [
{
"status": "unaffected",
"version": "0:18.0.13-1.redhat_00001.1.el8sso",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rh-sso7-keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 9",
"versions": [
{
"status": "unaffected",
"version": "0:18.0.13-1.redhat_00001.1.el9sso",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rh-sso7-keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
],
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"versions": [
{
"status": "unaffected",
"version": "7.6-46",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rh-sso-7/sso76-openshift-rhel8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6"
],
"vendor": "Red Hat",
"product": "RHSSO 7.6.8",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:6"
],
"vendor": "Red Hat",
"product": "Migration Toolkit for Applications 6",
"packageName": "mta/mta-ui-rhel8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:7"
],
"vendor": "Red Hat",
"product": "Migration Toolkit for Applications 7",
"packageName": "mta/mta-ui-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"vendor": "Red Hat",
"product": "OpenShift Serverless",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"vendor": "Red Hat",
"product": "Red Hat Data Grid 8",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_brms_platform:7"
],
"vendor": "Red Hat",
"product": "Red Hat Decision Manager 7",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"vendor": "Red Hat",
"product": "Red Hat Developer Hub",
"packageName": "rhdh-hub-container",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"vendor": "Red Hat",
"product": "Red Hat Integration Service Registry",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Grid 7",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "keycloak-adapter-eap6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "keycloak-adapter-sso7_2-eap6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "keycloak-adapter-sso7_3-eap6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "keycloak-adapter-sso7_4-eap6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "keycloak-adapter-sso7_5-eap6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "org.keycloak-keycloak-parent",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"packageName": "rh-sso7-keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 7",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:1"
],
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"packageName": "keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
}
]References
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/errata/RHSA-2024:2945
access.redhat.com/security/cve/CVE-2024-1249
bugzilla.redhat.com/show_bug.cgi?id=2262918
Related
cve
cve
CVE-2024-1249
2024-04-17 14:15:08
redhatcve
redhatcve
CVE-2024-1249
2024-04-17 13:02:45
veracode
veracode
Cross-Site Request Forgery (CSRF)
2024-04-18 04:19:15
wolfi
wolfi
CVE-2024-1249 vulnerabilities
2024-06-22 09:08:24
nvd
nvd
CVE-2024-1249
2024-04-17 14:15:08
cvelist
cvelist
github
github
osv
osv
cgr
cgr
CVE-2024-1249 vulnerabilities
2024-05-19 03:07:16
redhat
redhat
nessus
nessus
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
13.1%
Related for VULNRICHMENT:CVE-2024-1249