CVE-2024-9666
CVSS 3.1 Score 4.7 of 10 (medium)
Details
Summary
CVE-2024-9666 is a newly disclosed vulnerability affecting the Keycloak Server. This issue permits a denial of service (DoS) attack by exploiting Keycloak's improper handling of proxy headers. When Keycloak accepts incoming proxy headers without sufficient validation, it may process non-IP values, including obfuscated identifiers. This vulnerability can lead to expensive DNS resolution operations that tie up IO threads, potentially causing a denial of service. For an attack to be successful, the attacker must have the ability to send requests to a Keycloak instance, specifically when reverse proxies do not overwrite incoming headers and Keycloak trusts these headers.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Keycloak
Affected Vendors
- Red Hat