Assigner | redhat |
Reserved | 2024-02-06 |
Published | 2024-04-17 |
Updated | 2024-07-25 |
Description
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H |
Problem types
Product status
22.0.10-1 before *
22-13 before *
22-16 before *
0:18.0.13-1.redhat_00001.1.el7sso before *
0:18.0.13-1.redhat_00001.1.el8sso before *
0:18.0.13-1.redhat_00001.1.el9sso before *
7.6-46 before *
1.33.0-5 before *
1.33.0-5 before *
1.33.0-5 before *
1.33.0-5 before *
1.33.0-5 before *
1.33.0-5 before *
1.33.0-3 before *
1.33.0-5 before *
1.33.0-5 before *
Timeline
2024-02-06: | Reported to Red Hat. |
2024-04-16: | Made public. |
Credits
Red Hat would like to thank Adriano Márcio Monteiro for reporting this issue.
References
https://access.redhat.com/errata/RHSA-2024:1860 (RHSA-2024:1860)
https://access.redhat.com/errata/RHSA-2024:1861 (RHSA-2024:1861)
https://access.redhat.com/errata/RHSA-2024:1862 (RHSA-2024:1862)
https://access.redhat.com/errata/RHSA-2024:1864 (RHSA-2024:1864)
https://access.redhat.com/errata/RHSA-2024:1866 (RHSA-2024:1866)
https://access.redhat.com/errata/RHSA-2024:1867 (RHSA-2024:1867)
https://access.redhat.com/errata/RHSA-2024:1868 (RHSA-2024:1868)
https://access.redhat.com/errata/RHSA-2024:2945 (RHSA-2024:2945)
https://access.redhat.com/errata/RHSA-2024:4057 (RHSA-2024:4057)
https://access.redhat.com/security/cve/CVE-2024-1249
https://bugzilla.redhat.com/show_bug.cgi?id=2262918 (RHBZ#2262918)