A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.
The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
Metrics
Affected Vendors & Products
References
History
Mon, 25 Nov 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 25 Nov 2024 07:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Title | org.keycloak/keycloak-quarkus-server: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability | Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability |
First Time appeared |
Redhat jboss Enterprise Application Platform
|
|
CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:8 | |
Vendors & Products |
Redhat jboss Enterprise Application Platform
|
|
References |
|
|
Sat, 23 Nov 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers. |
Fri, 22 Nov 2024 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | |
Title | org.keycloak/keycloak-quarkus-server: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability | |
First Time appeared |
Redhat
Redhat build Keycloak |
|
Weaknesses | CWE-444 | |
CPEs | cpe:/a:redhat:build_keycloak:24 cpe:/a:redhat:build_keycloak:24::el9 cpe:/a:redhat:build_keycloak:26 cpe:/a:redhat:build_keycloak:26.0::el9 |
|
Vendors & Products |
Redhat
Redhat build Keycloak |
|
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2025-01-28T09:33:51.117Z
Reserved: 2024-10-08T22:36:23.598Z
Link: CVE-2024-9666

Updated: 2024-11-25T17:14:57.969Z

Status : Received
Published: 2024-11-25T08:15:10.943
Modified: 2024-11-25T08:15:10.943
Link: CVE-2024-9666


No data.