Nixpkgs security tracker
Accepted
Permalink
CVE-2024-1249
7.4 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse accepted
Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
References
Affected products
keycloak
- <22.0.10
- <24.0.3
eap7-netty
- *
RHSSO 7.6.8
eap7-wildfly
- *
eap7-undertow
- *
keycloak-core
eap7-hibernate
- *
mta/mta-ui-rhel8
mta/mta-ui-rhel9
rh-sso7-keycloak
- *
eap7-glassfish-el
- *
eap7-jackson-core
- *
rhdh-hub-container
rhbk/keycloak-rhel9
- *
rhdh/rhdh-hub-rhel9
eap7-wildfly-elytron
- *
eap7-wildfly-openssl
- *
eap7-jackson-databind
- *
eap7-jboss-ejb-client
- *
keycloak-adapter-eap6
eap7-jackson-annotations
- *
eap7-wildfly-http-client
- *
eap7-jackson-modules-base
- *
eap7-jackson-modules-java8
- *
eap7-wildfly-naming-client
- *
eap7-wildfly-openssl-linux
- *
org.keycloak.protocol.oidc
eap7-jboss-server-migration
- *
eap7-jackson-jaxrs-providers
- *
keycloak-adapter-sso7_2-eap6
keycloak-adapter-sso7_3-eap6
keycloak-adapter-sso7_4-eap6
keycloak-adapter-sso7_5-eap6
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
- *
rhbk/keycloak-operator-bundle
- *
rh-sso-7/sso76-openshift-rhel8
- *
Red Hat build of Keycloak 22.0.10
openshift-serverless-1/logic-rhel8-operator
- *
openshift-serverless-1/logic-operator-bundle
- *
openshift-serverless-1/logic-swf-builder-rhel8
- *
openshift-serverless-1/logic-swf-devmode-rhel8
- *
openshift-serverless-1-logic-rhel8-operator-container
- *
openshift-serverless-1/logic-data-index-ephemeral-rhel8
- *
openshift-serverless-1-logic-swf-builder-rhel8-container
- *
openshift-serverless-1-logic-swf-devmode-rhel8-container
- *
openshift-serverless-1/logic-data-index-postgresql-rhel8
- *
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
- *
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
- *
openshift-serverless-1-logic-rhel8-operator-bundle-container
- *
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
- *
openshift-serverless-1-logic-data-index-ephemeral-rhel8-container
- *
openshift-serverless-1-logic-data-index-postgresql-rhel8-container
- *
openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container
- *
openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container
- *
openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container
- *
Package maintainers
-
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>