A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Wed, 25 Jun 2025 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform Eus
CPEs cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products Redhat jboss Enterprise Application Platform Eus
References

Tue, 29 Oct 2024 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-16T00:00:36.042Z

Reserved: 2024-02-05T18:40:46.701Z

Link: CVE-2024-1233

cve-icon Vulnrichment

Updated: 2024-08-01T18:33:25.381Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-09T07:15:08.060

Modified: 2025-06-25T01:15:22.493

Link: CVE-2024-1233

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-04-02T00:00:00Z

Links: CVE-2024-1233 - Bugzilla

cve-icon OpenCVE Enrichment

No data.