CVE-2024-1249

high

Description

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2262918

https://access.redhat.com/security/cve/CVE-2024-1249

https://access.redhat.com/errata/RHSA-2024:4057

https://access.redhat.com/errata/RHSA-2024:2945

https://access.redhat.com/errata/RHSA-2024:1868

https://access.redhat.com/errata/RHSA-2024:1867

https://access.redhat.com/errata/RHSA-2024:1866

https://access.redhat.com/errata/RHSA-2024:1864

https://access.redhat.com/errata/RHSA-2024:1862

https://access.redhat.com/errata/RHSA-2024:1861

https://access.redhat.com/errata/RHSA-2024:1860

Details

Source: Mitre, NVD

Published: 2024-04-17

Updated: 2024-06-24

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Severity: High