GoogleOSV:GHSA-M6Q9-P373-G5Q8Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.0%
A potential security flaw in the βcheckLoginIframeβ which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the applicationβs availability without proper origin validation for incoming messages.
Acknowledgements
Special thanks to Adriano MΓ‘rcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.
References
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/errata/RHSA-2024:2945
access.redhat.com/errata/RHSA-2024:4057
access.redhat.com/security/cve/CVE-2024-1249
bugzilla.redhat.com/show_bug.cgi?id=2262918
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/9d9817e15a07195f16f554b7f60ee3a918369e26
github.com/keycloak/keycloak/commit/e3598a53678a1e3698e78eb71e04ba10ca32e5e2
github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8
nvd.nist.gov/vuln/detail/CVE-2024-1249
Related
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.0%