CVE-2024-1233 (High) detected in wildfly-elytron-realm-token-2.2.1.Final.jar

[mend-bolt-for-github[bot]]

CVE-2024-1233 - High Severity Vulnerability

Vulnerable Library - wildfly-elytron-realm-token-2.2.1.Final.jar

WildFly Security Token Realm Implementation

Library home page: http://www.jboss.org

Path to dependency file: /jetty-infinispan/infinispan-remote-query/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/wildfly/security/wildfly-elytron-realm-token/2.2.1.Final/wildfly-elytron-realm-token-2.2.1.Final.jar

Dependency Hierarchy: - infinispan-client-hotrod-11.0.17.Final.jar (Root Library) - wildfly-elytron-2.2.1.Final.jar - :x: **wildfly-elytron-realm-token-2.2.1.Final.jar** (Vulnerable Library)

Found in HEAD commit: 6eace92456f444de3e8f0abbab5c5bed2ae9dba6

Found in base branch: master

Vulnerability Details

A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

Publish Date: 2024-04-09

URL: CVE-2024-1233

CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1233

Release Date: 2024-04-09

Fix Resolution (org.wildfly.security:wildfly-elytron-realm-token): 2.4.0.Final

Direct dependency fix Resolution (org.infinispan:infinispan-client-hotrod): 11.0.18.Final

---

Step up your Open Source Security Game with Mend here