Base Score

HIGH7.4

CVE-2024-1249

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

VectorNETWORK

Published Bysecalert@redhat.com

Published DateApr 17, 2024, 14:15

Affected Versions(2)

org.keycloak:keycloak-services(Maven)

Introduced0

Fixed22.0.10

LimitN/A

org.keycloak:keycloak-services(Maven)

Introduced23.0.0

Fixed24.0.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.keycloak:keycloak-services(Maven)	0	22.0.10	N/A
org.keycloak:keycloak-services(Maven)	23.0.0	24.0.3	N/A

Weakness Type (CWE):CWE-346

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

Base Score

HIGH7.4

Weakness Type (CWE):CWE-346

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH