Assigner | redhat |
Reserved | 2024-02-06 |
Published | 2024-04-17 |
Updated | 2024-10-29 |
Description
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
HIGH: 7.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H |
Product status
Default status
unaffected
21.1.0 before 22.0.10
affected
23.0.0 before 24.0.3
affected
Default status
unaffected
Default status
affected
22.0.10-1 before *
unaffected
Default status
affected
22-13 before *
unaffected
Default status
affected
22-16 before *
unaffected
Default status
unaffected
Default status
affected
0:18.0.13-1.redhat_00001.1.el7sso before *
unaffected
Default status
affected
0:18.0.13-1.redhat_00001.1.el8sso before *
unaffected
Default status
affected
0:18.0.13-1.redhat_00001.1.el9sso before *
unaffected
Default status
affected
7.6-46 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-3 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
affected
1.33.0-5 before *
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unknown
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
unaffected
Timeline
2024-02-06: | Reported to Red Hat. |
2024-04-16: | Made public. |
Credits
Red Hat would like to thank Adriano Márcio Monteiro for reporting this issue.
References
https://access.redhat.com/errata/RHSA-2024:1860 (RHSA-2024:1860) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:1861 (RHSA-2024:1861) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:1862 (RHSA-2024:1862) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:1864 (RHSA-2024:1864) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:1866 (RHSA-2024:1866) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:1867 (RHSA-2024:1867) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:1868 (RHSA-2024:1868) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:2945 (RHSA-2024:2945) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:4057 (RHSA-2024:4057) vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-1249 vdb-entry
https://bugzilla.redhat.com/show_bug.cgi?id=2262918 (RHBZ#2262918) issue-tracking
cve.org CVE-2024-1249
nvd.nist.gov CVE-2024-1249
Download JSON
Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.