CVE-2024-1233

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions JBoss EAP (affected versions not specified)

Description A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2024-1233

GHSA-V4MM-Q8FV-R2W5

RHSA-2024:3559

RHSA-2024:3560

RHSA-2024:3561

RHSA-2024:3580

RHSA-2024:3581

RHSA-2025:9582

RHSA-2025:9583

Affected Products

Jboss Eap

CVE-2024-1233

Weakness Enumeration

Related Identifiers

Affected Products

References · 26