CVE-2024-9666

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:10175
https://access.redhat.com/errata/RHSA-2024:10176
https://access.redhat.com/errata/RHSA-2024:10177
https://access.redhat.com/errata/RHSA-2024:10178
https://access.redhat.com/security/cve/CVE-2024-9666
https://bugzilla.redhat.com/show_bug.cgi?id=2317440

Configurations

No configuration.

History

No history.

Information

Published : 2024-11-25 08:15

Updated : 2024-11-25 08:15

NVD link : CVE-2024-9666

Mitre link : CVE-2024-9666

CVE.ORG link : CVE-2024-9666

JSON object : View

Products Affected

No product.

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

{"id": "CVE-2024-9666", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-11-25T08:15:10.943", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:10175", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:10176", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:10177", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:10178", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-9666", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317440", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.\nThe attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en el servidor Keycloak. El servidor Keycloak es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) debido al manejo inadecuado de los encabezados de proxy. Cuando Keycloak est\u00e1 configurado para aceptar encabezados de proxy entrantes, puede aceptar valores que no sean IP, como identificadores ofuscados, sin una validaci\u00f3n adecuada. Este problema puede generar costosas operaciones de resoluci\u00f3n de DNS, que un atacante podr\u00eda aprovechar para bloquear subprocesos de E/S y potencialmente causar una denegaci\u00f3n de servicio. El atacante debe tener acceso para enviar solicitudes a una instancia de Keycloak que est\u00e9 configurada para aceptar encabezados de proxy, espec\u00edficamente cuando los servidores proxy inversos no sobrescriben los encabezados entrantes y Keycloak est\u00e1 configurado para confiar en estos encabezados."}], "lastModified": "2024-11-25T08:15:10.943", "sourceIdentifier": "secalert@redhat.com"}