GHSA-v4mm-q8fv-r2w5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-v4mm-q8fv-r2w5/GHSA-v4mm-q8fv-r2w5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v4mm-q8fv-r2w5
- Aliases
-
- CVE-2024-1233
- Published
- 2024-04-09T09:31:10Z
- Modified
- 2024-06-04T18:49:58.933732Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- WildFly Elytron: SSRF security issue
- Details
-
A flaw was found in
JwtValidator.resolvePublicKeyin JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability. - Database specific
{ "nvd_published_at": "2024-04-09T07:15:08Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-09T18:53:09Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-1233
- https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523
- https://github.com/wildfly/wildfly/commit/aa151a00d75d6dbc4a1bf1b68d58b9de3087bb62
- https://access.redhat.com/errata/RHSA-2024:3559
- https://access.redhat.com/errata/RHSA-2024:3560
- https://access.redhat.com/errata/RHSA-2024:3561
- https://access.redhat.com/errata/RHSA-2024:3563
- https://access.redhat.com/errata/RHSA-2024:3580
- https://access.redhat.com/errata/RHSA-2024:3581
- https://access.redhat.com/errata/RHSA-2024:3583
- https://access.redhat.com/security/cve/CVE-2024-1233
- https://bugzilla.redhat.com/show_bug.cgi?id=2262849
- https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
- https://github.com/wildfly-security/wildfly-elytron
- https://issues.redhat.com/browse/WFLY-19226
Affected packages
Maven / org.wildfly.security:wildfly-elytron-realm-token
Package
- Name
- org.wildfly.security:wildfly-elytron-realm-token
- View open source insights on deps.dev
- Purl
- pkg:maven/org.wildfly.security/wildfly-elytron-realm-token
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected2.4.0.CR1
Affected versions
1.*
1.9.0.CR1
1.9.0.CR2
1.9.0.CR3
1.9.0.CR4
1.9.0.CR5
1.9.0.Final
1.9.1.Final
1.10.0.CR1
1.10.0.CR2
1.10.0.CR3
1.10.0.CR4
1.10.0.CR5
1.10.0.CR6
1.10.0.Final
1.10.1.Final
1.10.2.Final
1.10.3.Final
1.10.4.Final
1.10.5.Final
1.10.6.Final
1.10.7.Final
1.10.8.Final
1.10.9.Final
1.10.10.Final
1.10.11.Final
1.10.12.Final
1.10.13.Final
1.10.14.Final
1.10.15.Final
1.11.0.CR1
1.11.0.CR2
1.11.0.CR3
1.11.0.CR4
1.11.0.CR5
1.11.0.Final
1.11.1.Final
1.11.2.Final
1.11.3.Final
1.11.4.Final
1.12.0.CR1
1.12.0.CR2
1.12.0.CR3
1.12.0.Final
1.12.1.Final
1.13.0.CR1
1.13.0.CR2
1.13.0.CR3
1.13.0.CR4
1.13.0.Final
1.13.1.Final
1.13.2.Final
1.14.0.Final
1.14.1.Final
1.14.2.Final
1.15.0.CR1
1.15.0.Final
1.15.1.Final
1.15.2.Final
1.15.3.Final
1.15.4.Final
1.15.5.Final
1.15.6.Final
1.15.7.Final
1.15.8.Final
1.15.9.Final
1.15.10.Final
1.15.11.Final
1.15.12.Final
1.15.13.Final
1.15.14.Final
1.15.15.Final
1.15.16.Final
1.15.17.Final
1.15.18.Final
1.15.19.Final
1.15.20.Final
1.15.21.Final
1.15.22.Final
1.15.23.Final
1.15.24.Final
1.16.0.CR1
1.16.0.Final
1.16.1.Final
1.17.0.Final
1.17.1.Final
1.17.2.Final
1.17.3.Final
1.18.0.Final
1.18.1.Final
1.18.2.Final
1.18.3.Final
1.19.0.Final
1.19.1.Final
1.20.0.Final
1.20.1.Final
1.20.2.Final
1.20.3.Final
1.20.4.Final
2.*
2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.Alpha4
2.0.0.Alpha5
2.0.0.Alpha6
2.0.0.Alpha7
2.0.0.Alpha8
2.0.0.Alpha9
2.0.0.Alpha10
2.0.0.Beta1
2.0.0.Beta2
2.0.0.Beta3
2.0.0.Final
2.1.0.Final
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.2.6.Final
2.3.0.Final
2.3.1.Final
2.4.0.CR1