GHSA-m6q9-p373-g5q8
First published: Wed Apr 17 2024(Updated: )
A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. #### Acknowledgements Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.keycloak:keycloak-services | >=23.0.0<24.0.3 | 24.0.3 |
| maven/org.keycloak:keycloak-services | <22.0.10 | 22.0.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8
- https://nvd.nist.gov/vuln/detail/CVE-2024-1249
- https://access.redhat.com/errata/RHSA-2024:1868
- https://access.redhat.com/security/cve/CVE-2024-1249
- https://bugzilla.redhat.com/show_bug.cgi?id=2262918
- https://github.com/advisories/GHSA-m6q9-p373-g5q8 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:1860
- https://access.redhat.com/errata/RHSA-2024:1861
- https://access.redhat.com/errata/RHSA-2024:1862
- https://access.redhat.com/errata/RHSA-2024:1864
- https://access.redhat.com/errata/RHSA-2024:1866
- https://access.redhat.com/errata/RHSA-2024:1867
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-m6q9-p373-g5q8
- alias/CVE-2024-1249
- agent/software-canonical-lookup
- agent/tags
- collector/github-advisory-latest
- package-manager/maven