Описание
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Отчет
The vulnerability in Keycloak's OIDC component allowing unvalidated cross-origin messages in the "checkLoginIframe" function represents an important severity issue due to its potential to cause significant disruption and resource exhaustion. Exploitation of this flaw can lead to a Denial of Service (DoS) condition, where malicious actors can overwhelm the server with a high volume of requests, impacting availability for legitimate users. The absence of proper origin validation means attackers can exploit this weakness relatively easily, leveraging automated scripts to flood the server within seconds.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Applications 6 | mta/mta-ui-rhel9 | Will not fix | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Not affected | ||
| Red Hat build of Apicurio Registry 2 | keycloak | Affected | ||
| Red Hat Data Grid 8 | keycloak | Not affected | ||
| Red Hat Decision Manager 7 | keycloak | Affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Not affected | ||
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat JBoss Data Grid 7 | keycloak | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | keycloak | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | keycloak-adapter-eap6 | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe ...
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
EPSS
7.4 High
CVSS3