CVE-2024-1233: Eap: wildfly-elytron has a ssrf security issue
Description
A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
Classification
CVE ID: CVE-2024-1233
Problem Types
Server-Side Request Forgery (SSRF)Affected Products
Vendor: , Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat
Product: , Red Hat JBoss Enterprise Application Platform 7, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9, Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat JBoss Enterprise Application Platform Expansion Pack 5
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.69% (probability of being exploited)
EPSS Percentile: 69.0% (scored less or equal to compared to others)
EPSS Date: 2025-03-27 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: true
References
https://nvd.nist.gov/vuln/detail/CVE-2024-1233https://access.redhat.com/errata/RHSA-2024:3559
https://access.redhat.com/errata/RHSA-2024:3560
https://access.redhat.com/errata/RHSA-2024:3561
https://access.redhat.com/errata/RHSA-2024:3563
https://access.redhat.com/errata/RHSA-2024:3580
https://access.redhat.com/errata/RHSA-2024:3581
https://access.redhat.com/errata/RHSA-2024:3583
https://access.redhat.com/security/cve/CVE-2024-1233
https://bugzilla.redhat.com/show_bug.cgi?id=2262849
https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523
https://issues.redhat.com/browse/WFLY-19226