GHSA-JGWC-JH89-RPGQ

Vulnerability from github – Published: 2024-11-25 19:39 – Updated: 2024-11-25 19:39
VLAI?
Summary
Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
Details

Keycloak versions 26 and earlier are vulnerable to a denial-of-service (DoS) attack through improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.

The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

For Keycloak version 26, for successful exploitation includes: the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.

Severity ?
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
5.7 (Medium)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 24.0.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-quarkus-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-quarkus-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "26.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-25T19:39:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Keycloak versions 26 and earlier are vulnerable to a denial-of-service (DoS) attack through improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.\n\nThe attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.\n\nFor Keycloak version 26, for successful exploitation includes: the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.\n\n",
  "id": "GHSA-jgwc-jh89-rpgq",
  "modified": "2024-11-25T19:39:12Z",
  "published": "2024-11-25T19:39:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-jgwc-jh89-rpgq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/35216"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10175"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10176"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10177"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10178"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9666"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317440"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Keycloak proxy header handling Denial-of-Service (DoS) vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.