{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11734", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-11-26T03:57:37.921Z", "datePublished": "2025-01-14T08:35:42.107Z", "dateUpdated": "2025-01-15T05:37:36.914Z"}, "containers": {"cna": {"title": "Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.0.8-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.0-8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"]}, {"vendor": "Red Hat", "product": "RHBK 26.0.8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-quarkus-server", "cpes": ["cpe:/a:redhat:build_keycloak:26.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.keycloak/keycloak-quarkus-server", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.keycloak/keycloak-quarkus-server", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:0299", "name": "RHSA-2025:0299", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:0300", "name": "RHSA-2025:0300", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-11734", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328846", "name": "RHBZ#2328846", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-01-13T12:22:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-693: Protection Mechanism Failure", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-11-26T03:54:23.151000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-01-13T12:22:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Chase Bowman (Contract Security) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-15T05:37:36.914Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-14T14:44:48.268163Z", "id": "CVE-2024-11734", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-14T14:44:59.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11734", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-14T14:44:48.268163Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-14T14:44:54.484Z"}}], "cna": {"title": "Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers", "credits": [{"lang": "en", "value": "Red Hat would like to thank Chase Bowman (Contract Security) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "versions": [{"status": "unaffected", "version": "26.0.8-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "versions": [{"status": "unaffected", "version": "26.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "versions": [{"status": "unaffected", "version": "26.0-8", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.0"], "vendor": "Red Hat", "product": "RHBK 26.0.8", "packageName": "org.keycloak/keycloak-quarkus-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "org.keycloak/keycloak-quarkus-server", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "org.keycloak/keycloak-quarkus-server", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-11-26T03:54:23.151000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-01-13T12:22:00+00:00", "value": "Made public."}], "datePublic": "2025-01-13T12:22:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:0299", "name": "RHSA-2025:0299", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:0300", "name": "RHSA-2025:0300", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-11734", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328846", "name": "RHBZ#2328846", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-15T05:37:36.914Z"}, "x_redhatCweChain": "CWE-693: Protection Mechanism Failure"}}, "cveMetadata": {"cveId": "CVE-2024-11734", "state": "PUBLISHED", "dateUpdated": "2025-01-15T05:37:36.914Z", "dateReserved": "2024-11-26T03:57:37.921Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-01-14T08:35:42.107Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request."}], "id": "CVE-2024-11734", "lastModified": "2025-01-14T09:15:19.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2025-01-14T09:15:19.443", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:0299"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:0300"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-11734"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328846"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Chase Bowman (Contract Security) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2025:0299", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-operator-bundle:26.0.8-1", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2025-01-13T00:00:00Z"}, {"advisory": "RHSA-2025:0299", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-rhel9:26.0-7", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2025-01-13T00:00:00Z"}, {"advisory": "RHSA-2025:0299", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-rhel9-operator:26.0-8", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2025-01-13T00:00:00Z"}, {"advisory": "RHSA-2025:0300", "cpe": "cpe:/a:redhat:build_keycloak:26.0", "package": "org.keycloak/keycloak-quarkus-server", "product_name": "RHBK 26.0.8", "release_date": "2025-01-13T00:00:00Z"}], "bugzilla": {"description": "org.keycloak:keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers", "id": "2328846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328846"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-693", "details": ["A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request."], "name": "CVE-2024-11734", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak/keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.keycloak/keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-01-13T12:22:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-11734\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11734"], "statement": "Red Hat has evaluated this vulnerability and its impact is restricted to Keycloak. No Keycloak connectors/adapters are affected.", "threat_severity": "Moderate"}