Untriaged
Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Affected products
keycloak
- <22.0.10
- <24.0.3
eap7-netty
- *
RHSSO 7.6.8
eap7-wildfly
- *
eap7-undertow
- *
keycloak-core
eap7-hibernate
- *
mta/mta-ui-rhel8
mta/mta-ui-rhel9
rh-sso7-keycloak
- *
eap7-glassfish-el
- *
eap7-jackson-core
- *
rhdh-hub-container
rhbk/keycloak-rhel9
- *
rhdh/rhdh-hub-rhel9
eap7-wildfly-elytron
- *
eap7-wildfly-openssl
- *
eap7-jackson-databind
- *
eap7-jboss-ejb-client
- *
keycloak-adapter-eap6
eap7-jackson-annotations
- *
eap7-wildfly-http-client
- *
eap7-jackson-modules-base
- *
eap7-jackson-modules-java8
- *
eap7-wildfly-naming-client
- *
eap7-wildfly-openssl-linux
- *
org.keycloak.protocol.oidc
eap7-jboss-server-migration
- *
eap7-jackson-jaxrs-providers
- *
keycloak-adapter-sso7_2-eap6
keycloak-adapter-sso7_3-eap6
keycloak-adapter-sso7_4-eap6
keycloak-adapter-sso7_5-eap6
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
- *
rhbk/keycloak-operator-bundle
- *
rh-sso-7/sso76-openshift-rhel8
- *
Red Hat build of Keycloak 22.0.10
openshift-serverless-1/logic-rhel8-operator
- *
openshift-serverless-1/logic-operator-bundle
- *
openshift-serverless-1/logic-swf-builder-rhel8
- *
openshift-serverless-1/logic-swf-devmode-rhel8
- *
openshift-serverless-1-logic-rhel8-operator-container
- *
openshift-serverless-1/logic-data-index-ephemeral-rhel8
- *
openshift-serverless-1-logic-swf-builder-rhel8-container
- *
openshift-serverless-1-logic-swf-devmode-rhel8-container
- *
openshift-serverless-1/logic-data-index-postgresql-rhel8
- *
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
- *
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
- *
openshift-serverless-1-logic-rhel8-operator-bundle-container
- *
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
- *
openshift-serverless-1-logic-data-index-ephemeral-rhel8-container
- *
openshift-serverless-1-logic-data-index-postgresql-rhel8-container
- *
openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container
- *
openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container
- *
openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container
- *
Matching in nixpkgs
pkgs.keycloak
Identity and access management for modern applications and services
-
nixos-unstable -
- nixpkgs-unstable 26.3.4
pkgs.terraform-providers.keycloak
None
-
nixos-unstable -
- nixpkgs-unstable 5.4.0
pkgs.python312Packages.python-keycloak
Provides access to the Keycloak API
-
nixos-unstable -
- nixpkgs-unstable 4.0.0
pkgs.python313Packages.python-keycloak
Provides access to the Keycloak API
-
nixos-unstable -
- nixpkgs-unstable 4.0.0
Package maintainers
-
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@leona-ya Leona Maroni <nix@leona.is>