Keycloak: potential bypass of brute force protection
CVE-2024-4629
6.5MEDIUM
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Build Of Keycloak
- Red Hat Build Of Keycloak 22
- Red Hat Single Sign-on 7
- Red Hat Single Sign-on 7.6 For Rhel 7
- Vendor
- CVE Published:
- 3 September 2024
Summary
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Affected Version(s)
Red Hat build of Keycloak 22 <= 22.0.12-1
Red Hat build of Keycloak 22 <= 22-17
Red Hat build of Keycloak 22 <= 22-20
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Risk change from: null to: 6.5 - (MEDIUM)
Vulnerability published.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database