CVE-2024-1233 Overview
CVE-2024-1233 is a Server-Side Request Forgery (SSRF) vulnerability in the JwtValidator.resolvePublicKey function within JBoss Enterprise Application Platform (EAP). The validator parses the jku (JWK Set URL) header from JSON Web Tokens and issues an HTTP request to the supplied URL. Because no allowlist or filtering is applied to the destination address, an unauthenticated attacker can coerce the server to issue requests to arbitrary internal or external endpoints. This weakness is tracked under CWE-918.
Critical Impact
Remote, unauthenticated attackers can abuse the JWT jku header to make the JBoss EAP server send HTTP requests to internal services, enabling reconnaissance of metadata endpoints, internal APIs, and otherwise unreachable infrastructure.
Affected Products
- Red Hat JBoss Enterprise Application Platform (EAP)
- Red Hat WildFly (per upstream commit in WildFly PR #17812)
- Red Hat build of Keycloak / related Red Hat middleware (Red Hat CVE-2024-1233 Details)
Discovery Timeline
- 2024-04-09 - CVE-2024-1233 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-1233
Vulnerability Analysis
The flaw resides in the JwtValidator.resolvePublicKey method. When a JWT presents a jku header parameter, the validator fetches the referenced JSON Web Key Set (JWKS) to obtain the public key used for signature verification. The implementation trusts the attacker-controlled URL without enforcing a host allowlist, scheme restrictions, or network egress filtering.
Attackers send a crafted JWT whose jku points at an internal service. The application server resolves the URL and issues an outbound HTTP request from the trusted middleware host. Depending on the network topology, the request may reach cloud metadata services, internal admin consoles, or other resources protected only by network segmentation.
The vulnerability is classified under CWE-918: Server-Side Request Forgery (SSRF). Successful exploitation can yield information disclosure, internal service probing, and lateral movement preparation.
Root Cause
The root cause is missing input validation on the jku URL prior to dereferencing it. The function performs no whitelisting, scheme verification, or DNS pinning. Any syntactically valid URL passed via the JWT header is fetched, including URLs targeting loopback interfaces, RFC 1918 ranges, or cloud instance metadata endpoints such as 169.254.169.254.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker submits a JWT to any endpoint protected by the vulnerable validator. The jku header in that JWT references an attacker-chosen URL. JBoss EAP then issues an HTTP GET request to that URL from the server context, returning fetched content to the validator for key parsing. Error messages and timing differences can be observed to enumerate reachable internal hosts and ports.
No verified public proof-of-concept code is referenced in the available advisories. See the Red Hat Bugzilla report #2262849 and the GitHub Advisory GHSA-v4mm-q8fv-r2w5 for additional technical context.
Detection Methods for CVE-2024-1233
Indicators of Compromise
- Outbound HTTP requests originating from JBoss EAP or WildFly JVM processes targeting internal IP ranges, loopback, or cloud metadata addresses such as 169.254.169.254.
- JWTs received by the application containing a jku header referencing hosts outside the expected identity provider domain.
- Unexpected DNS queries from the application server for attacker-controlled domains tied to token validation events.
Detection Strategies
- Inspect application and reverse proxy logs for JWT tokens whose decoded header contains a jku parameter, and compare the host against an approved issuer list.
- Monitor egress traffic from middleware hosts and alert on connections to RFC 1918 ranges, link-local addresses, or non-standard external destinations.
- Correlate authentication events with subsequent outbound HTTP requests from the JBoss process to identify SSRF probing patterns.
Monitoring Recommendations
- Enable verbose logging on the JwtValidator component to capture the resolved jku URL during token validation.
- Forward middleware process telemetry and network flow data into a centralized data lake for retroactive hunting.
- Establish baselines for legitimate JWKS fetch destinations and alert on deviations.
How to Mitigate CVE-2024-1233
Immediate Actions Required
- Apply the Red Hat security updates for affected JBoss EAP and WildFly versions referenced in RHSA-2024:3559, RHSA-2024:3560, RHSA-2024:3561, RHSA-2024:3563, RHSA-2024:3580, RHSA-2024:3581, RHSA-2024:3583, RHSA-2025:9582, and RHSA-2025:9583.
- Inventory all JBoss EAP, WildFly, and dependent middleware instances and prioritize internet-facing deployments for patching.
- Restrict outbound network access from middleware hosts using egress firewall rules until patches are applied.
Patch Information
Red Hat has released fixed builds across multiple JBoss EAP product streams. The upstream WildFly fix is available in GitHub commit 0c02350, tracked under WFLY-19226. Administrators should consult the Red Hat CVE-2024-1233 page to map their installed version to the correct errata.
Workarounds
- Configure a network egress allowlist restricting JBoss EAP outbound HTTP traffic to known JWKS issuer endpoints only.
- Place a reverse proxy or API gateway in front of the application that strips or validates the jku header against an approved issuer domain list before forwarding requests.
- Block access from middleware hosts to cloud instance metadata services and other sensitive internal endpoints at the network layer.
# Example egress restriction using iptables on a JBoss EAP host
# Block access to AWS instance metadata service
iptables -A OUTPUT -m owner --uid-owner jboss -d 169.254.169.254 -j REJECT
# Allow JWKS fetches only to the approved identity provider
iptables -A OUTPUT -m owner --uid-owner jboss -p tcp --dport 443 -d idp.example.com -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner jboss -p tcp --dport 443 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
