Keycloak Server: Denial of Service via Improper Proxy Header Validation
CVE-2024-9666 Published on November 25, 2024

Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-9666 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 44 days later.

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2024-9666 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Products Associated with CVE-2024-9666

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Keycloak
 
Red Hat Build Keycloak
 
Red Hat Jboss Enterprise Application Platform
 

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-9666

Package Manager Vulnerable Package Versions Fixed In
maven org.keycloak:keycloak-quarkus-server < 24.0.9
maven org.keycloak:keycloak-quarkus-server >= 25.0.0, < 26.0.6 26.0.6

Exploit Probability

EPSS
0.01%
Percentile
2.48%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.