CVE-2024-9666

Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.
The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

New images with security impact Important are available for Red Hat build of Keycloak 24.0.9 and Red Hat build of Keycloak 24.0.9 Operator, running on OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-08 CVE Reserved
2024-11-25 CVE Published
2025-01-28 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:10175	2024-11-25
https://access.redhat.com/errata/RHSA-2024:10176	2024-11-25
https://access.redhat.com/errata/RHSA-2024:10177	2024-11-25
https://access.redhat.com/errata/RHSA-2024:10178	2024-11-25
https://access.redhat.com/security/cve/CVE-2024-9666	2024-11-21
https://bugzilla.redhat.com/show_bug.cgi?id=2317440	2024-11-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Build Keycloak Search vendor "Redhat" for product "Build Keycloak"				*		-		Affected
Redhat Search vendor "Redhat"		Build Of Keycloak Search vendor "Redhat" for product "Build Of Keycloak"				*		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				*		-		Affected