Millions of Requests in Seconds: Keycloak OIDC Flaw Affects Application Availability

CVE-2024-1249

7.4HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak 22; Red Hat Build Of Keycloak 22.0.10; Red Hat Jboss A-MQ 7; Red Hat Single Sign-on 7.6 For Rhel 7
Vendor: CVE Published:; 17 April 2024

Summary

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.10-1

Red Hat build of Keycloak 22 <= 22-13

Red Hat build of Keycloak 22 <= 22-16

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: null to: 7.4 - (HIGH)
Apr 17, 2024
Vulnerability published.
Apr 17, 2024
Vulnerability Reserved.
Feb 6, 2024
Reported to Red Hat.
Feb 6, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Adriano Márcio Monteiro for reporting this issue.