A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
Credits
Red Hat would like to thank Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for reporting this issue.
