GHSA-v4mm-q8fv-r2w5

Source

https://github.com/advisories/GHSA-v4mm-q8fv-r2w5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-v4mm-q8fv-r2w5/GHSA-v4mm-q8fv-r2w5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v4mm-q8fv-r2w5

Aliases

CVE-2024-1233

Published

2024-04-09T09:31:10Z

Modified

2025-10-16T07:57:47.750345Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

WildFly Elytron: SSRF security issue

Details

A flaw was found inJwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

Database specific

{
    "nvd_published_at": "2024-04-09T07:15:08Z",
    "github_reviewed_at": "2024-04-09T18:53:09Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "HIGH"
}

References

Affected packages

Maven / org.wildfly.security:wildfly-elytron-realm-token

Package

Name: org.wildfly.security:wildfly-elytron-realm-token; View open source insights on deps.dev
Purl: pkg:maven/org.wildfly.security/wildfly-elytron-realm-token

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.4.0.CR1

Affected versions

1.*

1.9.0.CR1

1.9.0.CR2

1.9.0.CR3

1.9.0.CR4

1.9.0.CR5

1.9.0.Final

1.9.1.Final

1.10.0.CR1

1.10.0.CR2

1.10.0.CR3

1.10.0.CR4

1.10.0.CR5

1.10.0.CR6

1.10.0.Final

1.10.1.Final

1.10.2.Final

1.10.3.Final

1.10.4.Final

1.10.5.Final

1.10.6.Final

1.10.7.Final

1.10.8.Final

1.10.9.Final

1.10.10.Final

1.10.11.Final

1.10.12.Final

1.10.13.Final

1.10.14.Final

1.10.15.Final

1.10.16.Final

1.10.17.Final

1.11.0.CR1

1.11.0.CR2

1.11.0.CR3

1.11.0.CR4

1.11.0.CR5

1.11.0.Final

1.11.1.Final

1.11.2.Final

1.11.3.Final

1.11.4.Final

1.12.0.CR1

1.12.0.CR2

1.12.0.CR3

1.12.0.Final

1.12.1.Final

1.13.0.CR1

1.13.0.CR2

1.13.0.CR3

1.13.0.CR4

1.13.0.Final

1.13.1.Final

1.13.2.Final

1.14.0.Final

1.14.1.Final

1.14.2.Final

1.15.0.CR1

1.15.0.Final

1.15.1.Final

1.15.2.Final

1.15.3.Final

1.15.4.Final

1.15.5.Final

1.15.6.Final

1.15.7.Final

1.15.8.Final

1.15.9.Final

1.15.10.Final

1.15.11.Final

1.15.12.Final

1.15.13.Final

1.15.14.Final

1.15.15.Final

1.15.16.Final

1.15.17.Final

1.15.18.Final

1.15.19.Final

1.15.20.Final

1.15.21.Final

1.15.22.Final

1.15.23.Final

1.15.24.Final

1.15.25.Final

1.15.26.Final

1.15.27.Alpha1

1.16.0.CR1

1.16.0.Final

1.16.1.Final

1.17.0.Final

1.17.1.Final

1.17.2.Final

1.17.3.Final

1.18.0.Final

1.18.1.Final

1.18.2.Final

1.18.3.Final

1.19.0.Final

1.19.1.Final

1.20.0.Final

1.20.1.Final

1.20.2.Final

1.20.3.Final

1.20.4.Final

2.*

2.0.0.Alpha1

2.0.0.Alpha2

2.0.0.Alpha3

2.0.0.Alpha4

2.0.0.Alpha5

2.0.0.Alpha6

2.0.0.Alpha7

2.0.0.Alpha8

2.0.0.Alpha9

2.0.0.Alpha10

2.0.0.Beta1

2.0.0.Beta2

2.0.0.Beta3

2.0.0.Final

2.1.0.Final

2.2.0.Final

2.2.1.Final

2.2.2.Final

2.2.3.Final

2.2.4.Final

2.2.5.Final

2.2.6.Final

2.2.7.Final

2.2.8.Final

2.2.9.Final

2.2.10.Final

2.2.11.Final

2.2.12.Alpha1

2.2.12.Final

2.3.0.Final

2.3.1.Final

2.4.0.CR1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-v4mm-q8fv-r2w5/GHSA-v4mm-q8fv-r2w5.json"