Vulnerability DatabaseCVE-2024-1249
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-1249
April 17, 2024
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Affected Packages
org.keycloak:keycloak-services (JAVA):
Affected version(s) >=23.0.0 <24.0.3
Fix Suggestion:
Update to version 24.0.3
Related ResourcesĀ (18)
https://access.redhat.com/errata/RHSA-2024:1861
https://access.redhat.com/errata/RHSA-2025:9583
https://github.com/keycloak/keycloak/commit/9d9817e15a07195f16f554b7f60ee3a918369e26
https://access.redhat.com/errata/RHSA-2024:4057
https://access.redhat.com/errata/RHSA-2025:9582
https://bugzilla.redhat.com/show_bug.cgi?id=2262918
https://github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8
https://github.com/keycloak/keycloak/commit/e3598a53678a1e3698e78eb71e04ba10ca32e5e2
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1862
https://access.redhat.com/security/cve/CVE-2024-1249
https://access.redhat.com/errata/RHSA-2024:2945
https://access.redhat.com/errata/RHSA-2024:1868
https://access.redhat.com/errata/RHSA-2024:1866
https://nvd.nist.gov/vuln/detail/CVE-2024-1249
https://access.redhat.com/errata/RHSA-2024:1864
https://github.com/keycloak/keycloak
https://access.redhat.com/errata/RHSA-2024:1860
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
HIGH
CVSS v3
Base Score:
7.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Origin Validation Error
CWE-346
EPSS
Base Score:
0.20