Brute Force Protection Flaw in Keycloak by Red Hat
CVE-2020-1744
5.6MEDIUM
Summary
A vulnerability exists in Keycloak that affects versions prior to 9.0.1, where the Conditional OTP Authentication Flow fails to log failed login attempts properly. When users attempt to authenticate using One-Time Passwords (OTP) and fail, these events are not sent to the Brute Force Protection event queue. This oversight permits an attacker to potentially exploit the authentication flow without triggering the intended brute force protections, thus increasing the risk of unauthorized access.
Affected Version(s)
keycloak all keycloak versions prior to 9.0.1
References
CVSS V3.1
Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved