CVE-2024-1249 - Vulnerability Details

CVE-2024-1249 - Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00131.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Amq Broker Amq Streams Build Keycloak Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Enterprise Brms Platform Jboss Fuse Jbosseapxp Migration Toolkit Applications Openshift Serverless Red Hat Single Sign On Rhdh Rhosemc Service Registry

No data.

Package	CPE	Advisory	Released Date
Red Hat AMQ Broker 7
keycloak	cpe:/a:redhat:amq_broker:7.12	RHSA-2024:2945	2024-05-21T00:00:00Z
Red Hat build of Keycloak 22
rhbk/keycloak-operator-bundle:22.0.10-1	cpe:/a:redhat:build_keycloak:22::el9	RHSA-2024:1867	2024-04-16T00:00:00Z
rhbk/keycloak-rhel9:22-13	cpe:/a:redhat:build_keycloak:22::el9	RHSA-2024:1867	2024-04-16T00:00:00Z
rhbk/keycloak-rhel9-operator:22-16	cpe:/a:redhat:build_keycloak:22::el9	RHSA-2024:1867	2024-04-16T00:00:00Z
Red Hat build of Keycloak 22.0.10
keycloak	cpe:/a:redhat:build_keycloak:22	RHSA-2024:1868	2024-04-16T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2024:1860	2024-04-16T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2024:1861	2024-04-16T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2024:1862	2024-04-16T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-46	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2024:1864	2024-04-16T00:00:00Z
RHOSS-1.33-RHEL-8
openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-operator-bundle:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-rhel8-operator:1.33.0-3	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5	cpe:/a:redhat:openshift_serverless:1.33::el8	RHSA-2024:4057	2024-06-24T00:00:00Z
RHSSO 7.6.8
keycloak	cpe:/a:redhat:red_hat_single_sign_on:7.6	RHSA-2024:1866	2024-04-16T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1243	A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Github GHSA	GHSA-m6q9-p373-g5q8	Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:1860
https://access.redhat.com/errata/RHSA-2024:1861
https://access.redhat.com/errata/RHSA-2024:1862
https://access.redhat.com/errata/RHSA-2024:1864
https://access.redhat.com/errata/RHSA-2024:1866
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
https://access.redhat.com/errata/RHSA-2024:2945
https://access.redhat.com/errata/RHSA-2024:4057
https://access.redhat.com/security/cve/CVE-2024-1249
https://bugzilla.redhat.com/show_bug.cgi?id=2262918
https://nvd.nist.gov/vuln/detail/CVE-2024-1249
https://www.cve.org/CVERecord?id=CVE-2024-1249

History

Wed, 09 Jul 2025 02:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products	Redhat jboss Enterprise Application Platform Eus

Tue, 08 Jul 2025 14:30:00 +0000

Type	Values Removed	Values Added
References	https://access.redhat.com/errata/RHSA-2025:9582 https://access.redhat.com/errata/RHSA-2025:9583

Wed, 25 Jun 2025 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus
References		https://access.redhat.com/errata/RHSA-2025:9582 https://access.redhat.com/errata/RHSA-2025:9583

Tue, 17 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-17T13:22:48.335Z

Updated: 2025-11-07T10:19:38.689Z

Reserved: 2024-02-06T06:20:24.574Z

Link: CVE-2024-1249

Vulnrichment

Updated: 2024-08-01T18:33:25.533Z

NVD

Status : Awaiting Analysis

Published: 2024-04-17T14:15:08.160

Modified: 2025-07-08T14:15:24.283

Link: CVE-2024-1249

Redhat

Severity : Important

Publid Date: 2024-04-16T00:00:00Z

Links: CVE-2024-1249 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object