Brute Force Protection Flaw in Keycloak by Red Hat
CVE-2020-1744

5.6MEDIUM

Key Information:

Vendor: Red Hat
Status: Keycloak
Vendor: CVE Published:; 24 March 2020

Summary

A vulnerability exists in Keycloak that affects versions prior to 9.0.1, where the Conditional OTP Authentication Flow fails to log failed login attempts properly. When users attempt to authenticate using One-Time Passwords (OTP) and fail, these events are not sent to the Brute Force Protection event queue. This oversight permits an attacker to potentially exploit the authentication flow without triggering the intended brute force protections, thus increasing the risk of unauthorized access.

Affected Version(s)

keycloak all keycloak versions prior to 9.0.1

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744

https://access.redhat.com/security/cve/CVE-2020-1744

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 24, 2020
Vulnerability Reserved
Nov 27, 2019