Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tNnE5LXAzNzMtZzVxOM4AA7I_

Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

Acknowledgements

Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.

Permalink: https://github.com/advisories/GHSA-m6q9-p373-g5q8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNnE5LXAzNzMtZzVxOM4AA7I_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 15 days ago
Updated: 6 days ago

CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Identifiers: GHSA-m6q9-p373-g5q8, CVE-2024-1249
References:

• https://github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8
• https://nvd.nist.gov/vuln/detail/CVE-2024-1249
• https://access.redhat.com/errata/RHSA-2024:1868
• https://access.redhat.com/security/cve/CVE-2024-1249
• https://bugzilla.redhat.com/show_bug.cgi?id=2262918
• https://access.redhat.com/errata/RHSA-2024:1860
• https://access.redhat.com/errata/RHSA-2024:1861
• https://access.redhat.com/errata/RHSA-2024:1862
• https://access.redhat.com/errata/RHSA-2024:1864
• https://access.redhat.com/errata/RHSA-2024:1866
• https://access.redhat.com/errata/RHSA-2024:1867
• https://github.com/advisories/GHSA-m6q9-p373-g5q8

Repository: https://github.com/keycloak/keycloak
Blast Radius: 20.3

Affected Packages