CVE-2024-1233

Summary

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

Affected Software

VendorProductVersion RangeStatus
0 < 32.0.0.Finalaffected
Red HatRed Hat JBoss Enterprise Application Platform1.15.23.Final-redhat-00001 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:3.0.1-4.b08_redhat_00005.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:5.1.17-3.Final_redhat_00004.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:4.0.12-1.Final_redhat_00002.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:4.1.63-2.Final_redhat_00003.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.4.18-16.SP14_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:7.1.11-4.GA_redhat_00002.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.1.14-1.Final_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.0.21-1.Final_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.0.13-1.Final_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.0.12-1.Final_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.0.12-6.Final_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.10.4-3.redhat_00006.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.10.4-3.redhat_00006.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.10.4-5.redhat_00006.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.10.4-3.redhat_00006.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.10.4-5.redhat_00006.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.10.4-2.redhat_00006.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:1.7.2-16.Final_redhat_00017.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:4.1.63-5.Final_redhat_00003.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.0.41-4.SP5_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:7.3.14-3.GA_redhat_00002.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:1.10.17-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:3.5.8-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:3.3.22-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:11.0.19-2.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:4.0.54-3.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:3.0.0-8.SP08_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:13.5.0-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.12.3-3.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.10.0-36.Final_redhat_00035.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.2.32-1.SP1_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:7.4.17-2.GA_redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.2.4-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.15.23-2.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.1.17-1.Final_redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.1.19-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.4.3-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.3.4-1.redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:3.5.8-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:3.3.22-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:11.0.19-2.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:4.0.54-3.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:3.0.0-8.SP08_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:13.5.0-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.12.3-3.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.10.0-36.Final_redhat_00035.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.2.32-1.SP1_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:7.4.17-2.GA_redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.2.4-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.15.23-2.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.1.17-1.Final_redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.1.19-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.4.3-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.3.4-1.redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:1.15.23-2.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.0.1-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.2.4-2.SP01_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.0.1-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.2.4-2.SP01_redhat_00001.1.el9eap < *unaffected

Weaknesses

  • CWE-918: Server-Side Request Forgery (SSRF)

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References