Nixpkgs security tracker

Accepted

Permalink CVE-2024-1249

7.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 1 year, 5 months ago by @LeSuisse Activity log

Created suggestion 1 year, 5 months ago
@LeSuisse accepted 1 year, 5 months ago

Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

References

RHSA-2024:1860 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:1861 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:1862 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:1864 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:1866 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:1867 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:1868 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:2945 x_refsource_REDHATvendor-advisoryx_transferred
RHSA-2024:4057 x_refsource_REDHATvendor-advisoryx_transferred
https://access.redhat.com/security/cve/CVE-2024-1249 vdb-entryx_refsource_REDHATx_transferred
RHBZ#2262918 x_refsource_REDHATissue-trackingx_transferred
RHSA-2025:9582 x_refsource_REDHATvendor-advisory
RHSA-2025:9583 x_refsource_REDHATvendor-advisory

Affected products

keycloak

<22.0.10
<24.0.3

eap7-netty

RHSSO 7.6.8

eap7-wildfly

eap7-undertow

keycloak-core

eap7-hibernate

mta/mta-ui-rhel8

mta/mta-ui-rhel9

rh-sso7-keycloak

eap7-glassfish-el

eap7-jackson-core

rhdh-hub-container

rhbk/keycloak-rhel9

rhdh/rhdh-hub-rhel9

eap7-wildfly-elytron

eap7-wildfly-openssl

eap7-jackson-databind

eap7-jboss-ejb-client

keycloak-adapter-eap6

eap7-jackson-annotations

eap7-wildfly-http-client

eap7-jackson-modules-base

eap7-jackson-modules-java8

eap7-wildfly-naming-client

eap7-wildfly-openssl-linux

org.keycloak.protocol.oidc

eap7-jboss-server-migration

eap7-jackson-jaxrs-providers

keycloak-adapter-sso7_2-eap6

keycloak-adapter-sso7_3-eap6

keycloak-adapter-sso7_4-eap6

keycloak-adapter-sso7_5-eap6

org.keycloak-keycloak-parent

rhbk/keycloak-rhel9-operator

rhbk/keycloak-operator-bundle

rh-sso-7/sso76-openshift-rhel8

Red Hat build of Keycloak 22.0.10

openshift-serverless-1/logic-rhel8-operator

openshift-serverless-1/logic-operator-bundle

openshift-serverless-1/logic-swf-builder-rhel8

openshift-serverless-1/logic-swf-devmode-rhel8

openshift-serverless-1-logic-rhel8-operator-container

openshift-serverless-1/logic-data-index-ephemeral-rhel8

openshift-serverless-1-logic-swf-builder-rhel8-container

openshift-serverless-1-logic-swf-devmode-rhel8-container

openshift-serverless-1/logic-data-index-postgresql-rhel8

openshift-serverless-1/logic-jobs-service-ephemeral-rhel8

openshift-serverless-1/logic-jobs-service-postgresql-rhel8

openshift-serverless-1-logic-rhel8-operator-bundle-container

openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8

openshift-serverless-1-logic-data-index-ephemeral-rhel8-container

openshift-serverless-1-logic-data-index-postgresql-rhel8-container

openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container

openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container

openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.0.6
- nixpkgs-unstable 26.0.6
- nixos-unstable-small 26.0.7

Package maintainers

@NickCao Nick Cao <nickcao@nichi.co>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.keycloak

Package maintainers