Millions of Requests in Seconds: Keycloak OIDC Flaw Affects Application Availability
CVE-2024-1249
7.4HIGH
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Build Of Keycloak 22
- Red Hat Build Of Keycloak 22.0.10
- Red Hat Jboss A-MQ 7
- Red Hat Single Sign-on 7.6 For Rhel 7
- Vendor
- CVE Published:
- 17 April 2024
Summary
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Affected Version(s)
Red Hat build of Keycloak 22 <= 22.0.10-1
Red Hat build of Keycloak 22 <= 22-13
Red Hat build of Keycloak 22 <= 22-16
CVSS V3.1
Score:
7.4
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Risk change from: null to: 7.4 - (HIGH)
Vulnerability published.
Vulnerability Reserved.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database
Credit
Red Hat would like to thank Adriano Márcio Monteiro for reporting this issue.