Path to dependency file: /jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/wildfly/security/wildfly-elytron-realm-token/2.2.1.Final/wildfly-elytron-realm-token-2.2.1.Final.jar
A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
CVE-2024-1233 - High Severity Vulnerability
Vulnerable Library - wildfly-elytron-realm-token-2.2.1.Final.jar
WildFly Security Token Realm Implementation
Library home page: http://www.jboss.org
Path to dependency file: /jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/wildfly/security/wildfly-elytron-realm-token/2.2.1.Final/wildfly-elytron-realm-token-2.2.1.Final.jar
Dependency Hierarchy: - infinispan-client-hotrod-11.0.17.Final.jar (Root Library) - wildfly-elytron-2.2.1.Final.jar - :x: **wildfly-elytron-realm-token-2.2.1.Final.jar** (Vulnerable Library)
Found in HEAD commit: 6eace92456f444de3e8f0abbab5c5bed2ae9dba6
Found in base branch: master
Vulnerability Details
A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
Publish Date: 2024-04-09
URL: CVE-2024-1233
CVSS 3 Score Details (7.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1233
Release Date: 2024-04-09
Fix Resolution (org.wildfly.security:wildfly-elytron-realm-token): 2.4.0.Final
Direct dependency fix Resolution (org.infinispan:infinispan-client-hotrod): 11.0.18.Final
Step up your Open Source Security Game with Mend here