Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2744

CVE-2024-1233: Validate the jku header parameter during token validation to make sure it exactly matches a value from a configured list of allowed values

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.4.0.Final
    • None
    • None
    • None

      In JwtValidator.resolvePublicKey, the Validator checks the jku and sends an HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address. This can cause an SSRF vulnerability.

      See https://access.redhat.com/security/cve/CVE-2024-1233.

            fjuma1@redhat.com Farah Juma
            fjuma1@redhat.com Farah Juma
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: