Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1249", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-02-06T06:20:24.574Z", "datePublished": "2024-04-17T13:22:48.335Z", "dateUpdated": "2025-01-28T09:42:43.950Z"}, "containers": {"cna": {"title": "Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak's OIDC component in the \"checkLoginIframe,\" which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages."}], "affected": [{"versions": [{"status": "affected", "version": "21.1.0", "lessThan": "22.0.10", "versionType": "semver"}, {"status": "affected", "version": "23.0.0", "lessThan": "24.0.3", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat AMQ Broker 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "keycloak", "cpes": ["cpe:/a:redhat:amq_broker:7.12"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "22.0.10-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "22-13", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "22-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22.0.10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "keycloak", "cpes": ["cpe:/a:redhat:build_keycloak:22"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.13-1.redhat_00001.1.el7sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.13-1.redhat_00001.1.el8sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.13-1.redhat_00001.1.el9sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso76-openshift-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.6-46", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-data-index-ephemeral-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-data-index-postgresql-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "1.33.0-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-swf-builder-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHOSS-1.33-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/logic-swf-devmode-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.33.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.33::el8"]}, {"vendor": "Red Hat", "product": "RHSSO 7.6.8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "keycloak", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Applications 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "mta/mta-ui-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:migration_toolkit_applications:6"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Applications 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "mta/mta-ui-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:migration_toolkit_applications:7"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:service_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat Data Grid 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}, {"vendor": "Red Hat", "product": "Red Hat Decision Manager 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_brms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Developer Hub", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhdh-hub-container", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:rhdh:1"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_data_grid:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-adapter-eap6", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-adapter-sso7_2-eap6", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-adapter-sso7_3-eap6", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-adapter-sso7_4-eap6", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-adapter-sso7_5-eap6", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.keycloak-keycloak-parent", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "rh-sso7-keycloak", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "streams for Apache Kafka", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:amq_streams:1"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1860", "name": "RHSA-2024:1860", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1861", "name": "RHSA-2024:1861", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1862", "name": "RHSA-2024:1862", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1864", "name": "RHSA-2024:1864", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1866", "name": "RHSA-2024:1866", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1867", "name": "RHSA-2024:1867", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1868", "name": "RHSA-2024:1868", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2945", "name": "RHSA-2024:2945", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4057", "name": "RHSA-2024:4057", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1249", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262918", "name": "RHBZ#2262918", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-04-16T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "description": "Origin Validation Error", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-346: Origin Validation Error", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-02-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-04-16T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Adriano M\u00e1rcio Monteiro for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-28T09:42:43.950Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T17:33:02.839974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:28.545Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.533Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1860", "name": "RHSA-2024:1860", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1861", "name": "RHSA-2024:1861", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1862", "name": "RHSA-2024:1862", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1864", "name": "RHSA-2024:1864", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1866", "name": "RHSA-2024:1866", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1867", "name": "RHSA-2024:1867", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1868", "name": "RHSA-2024:1868", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2945", "name": "RHSA-2024:2945", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4057", "name": "RHSA-2024:4057", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1249", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262918", "name": "RHBZ#2262918", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}