7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-1249

GHSA ID

GHSA-m6q9-p373-g5q8

EPSS Score

0.42162%

CWE

CWE-346

Published

4/17/2024

Updated

6/24/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-1249

CVE-2024-1249: Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

Acknowledgements

Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-1249

CVE-2024-1249:

7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-1249

GHSA ID

GHSA-m6q9-p373-g5q8

EPSS Score

0.42162%

CWE

CWE-346

Published

4/17/2024

Updated

6/24/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-services	maven	< 22.0.10	22.0.10
org.keycloak:keycloak-services	maven	>= 23.0.0, < 24.0.3	24.0.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the checkState function in login-status-iframe.html handling cross-origin messages. The commit diff shows the addition of 'preventAdditionalRequests' flag to limit requests, proving the original function lacked request throttling. The CWE-346 (Origin Validation Error) confirms missing origin checks. The function's role in session status checks and the patch's focus on request limiting directly correlate with the described DDoS vulnerability through unvalidated messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-1249: Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

Acknowledgements

CVE-2024-1249:

7.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.4

7.4

CVE-2024-1249: Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

Acknowledgements

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI