2328846 – (CVE-2024-11734) CVE-2024-11734 org.keycloak:keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers

Bug 2328846 (CVE-2024-11734) - CVE-2024-11734 org.keycloak:keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers

Summary: CVE-2024-11734 org.keycloak:keycloak-quarkus-server: Denial of Service in Key...

Keywords:
Status:	NEW
Alias:	CVE-2024-11734
Deadline:	2025-01-25
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-26 03:59 UTC by OSIDB Bzimport
Modified:	2025-01-13 15:48 UTC (History)
CC List:	34 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:0299	0	None	None	None	2025-01-13 15:48:54 UTC
Red Hat Product Errata	RHSA-2025:0300	0	None	None	None	2025-01-13 15:43:39 UTC

Description OSIDB Bzimport 2024-11-26 03:59:59 UTC

A potential Denial of Service (DoS) vulnerability has been identified in Keycloak, which could allow an administrative user with the rights to change realm settings to disrupt the service. This is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that is already terminated, leading to a failure of said request.

Service disruption may happen, users will be unable to access applications relying on
Keycloak, or any of the consoles provided by Keycloak itself on the affected realm.

Comment 2 errata-xmlrpc 2025-01-13 15:43:37 UTC

This issue has been addressed in the following products:

  RHBK 26.0.8

Via RHSA-2025:0300 https://access.redhat.com/errata/RHSA-2025:0300

Comment 3 errata-xmlrpc 2025-01-13 15:48:51 UTC

This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2025:0299 https://access.redhat.com/errata/RHSA-2025:0299

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
drichtar
fjuma
istudens
ivassile
iweiss
jkoops
lgao
mosmerov
msochure
msvehla
nwallace
pdrozd
peholase
pesilva
pjindal
pmackay
pskopek
rmartinc
rowaters
rstancel
security-response-team
smaestri
sthorger
tom.jenkinson