CVE-2024-1233
HIGHWildFly Elytron Realm Token - Server-Side Request Forgery via JwtValidator.resolvePublicKey
Title source: llmDescription
A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
References (14)
Core 14
Core References
Various Sources
https://github.com/advisories/GHSA-v4mm-q8fv-r2w5
Various Sources
https://issues.redhat.com/browse/WFLY-19226
Patch
https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3559
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3560
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3561
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3563
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3580
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3581
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3583
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:9582
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:9583
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-1233
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2262849
Scores
CVSS v3
7.3
EPSS
0.0018
EPSS Percentile
38.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (50)
org.wildfly.security/wildfly-elytron-realm-token
0Maven
Red Hat/Red Hat JBoss Enterprise Application Platform
1.15.23.Final-redhat-00001
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:1.0.12-1.Final_redhat_00001.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:1.0.12-6.Final_redhat_00001.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:1.0.13-1.Final_redhat_00001.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:1.0.21-1.Final_redhat_00001.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:1.1.14-1.Final_redhat_00001.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:1.4.18-16.SP14_redhat_00001.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:3.0.1-4.b08_redhat_00005.1.ep7.el7
... and 40 more
Published
Apr 09, 2024
Tracked Since
Feb 18, 2026