CVE-2024-1233 - Vulnerability Details

A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jbosseapxp

No data.

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 7
eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2024:3563	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-jackson-annotations-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-core-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.10.4-5.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-5.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-2.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-16.Final_redhat_00017.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-5.Final_redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-undertow-0:2.0.41-4.SP5_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-wildfly-0:7.3.14-3.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.10.17-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-infinispan-0:11.0.19-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-ejb-client-0:4.0.54-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-jsf-api_2.3_spec-0:3.0.0-8.SP08_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-metadata-0:13.5.0-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-modules-0:1.12.3-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-36.Final_redhat_00035.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-undertow-0:2.2.32-1.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-0:7.4.17-2.GA_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-discovery-0:1.2.4-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-http-client-0:1.1.17-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.19-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wss4j-0:2.4.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-xml-security-0:2.3.4-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-infinispan-0:11.0.19-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-ejb-client-0:4.0.54-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-jsf-api_2.3_spec-0:3.0.0-8.SP08_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-metadata-0:13.5.0-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-modules-0:1.12.3-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-36.Final_redhat_00035.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-undertow-0:2.2.32-1.SP1_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-0:7.4.17-2.GA_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-discovery-0:1.2.4-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-http-client-0:1.1.17-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.19-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wss4j-0:2.4.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-xml-security-0:2.3.4-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:3559	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:3583	2024-06-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-elytron-web-0:4.0.1-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:3580	2024-06-04T00:00:00Z
eap8-wildfly-elytron-0:2.2.4-2.SP01_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:3580	2024-06-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-elytron-web-0:4.0.1-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:3581	2024-06-04T00:00:00Z
eap8-wildfly-elytron-0:2.2.4-2.SP01_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:3581	2024-06-04T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1305	A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
Github GHSA	GHSA-v4mm-q8fv-r2w5	WildFly Elytron: SSRF security issue

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:3559
https://access.redhat.com/errata/RHSA-2024:3560
https://access.redhat.com/errata/RHSA-2024:3561
https://access.redhat.com/errata/RHSA-2024:3563
https://access.redhat.com/errata/RHSA-2024:3580
https://access.redhat.com/errata/RHSA-2024:3581
https://access.redhat.com/errata/RHSA-2024:3583
https://access.redhat.com/errata/RHSA-2025:9582
https://access.redhat.com/errata/RHSA-2025:9583
https://access.redhat.com/security/cve/CVE-2024-1233
https://bugzilla.redhat.com/show_bug.cgi?id=2262849
https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523
https://issues.redhat.com/browse/WFLY-19226
https://nvd.nist.gov/vuln/detail/CVE-2024-1233
https://www.cve.org/CVERecord?id=CVE-2024-1233

History

Wed, 25 Jun 2025 01:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus
References		https://access.redhat.com/errata/RHSA-2025:9582 https://access.redhat.com/errata/RHSA-2025:9583

Tue, 29 Oct 2024 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-09T07:01:47.673Z

Updated: 2025-11-07T20:40:30.662Z

Reserved: 2024-02-05T18:40:46.701Z

Link: CVE-2024-1233

Vulnrichment

Updated: 2024-08-01T18:33:25.381Z

NVD

Status : Awaiting Analysis

Published: 2024-04-09T07:15:08.060

Modified: 2025-10-24T12:15:36.770

Link: CVE-2024-1233

Redhat

Severity : Moderate

Publid Date: 2024-04-02T00:00:00Z

Links: CVE-2024-1233 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object