Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2744

CVE-2024-1233: Validate the jku header parameter during token validation to make sure it exactly matches a value from a configured list of allowed values

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.4.0.Final
    • None
    • None
    • None

      In JwtValidator.resolvePublicKey, the Validator checks the jku and sends an HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address. This can cause an SSRF vulnerability.

      See https://access.redhat.com/security/cve/CVE-2024-1233.

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: