Keycloak: potential bypass of brute force protection

CVE-2024-4629

6.5MEDIUM

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Build Of Keycloak 22; Red Hat Single Sign-on 7; Red Hat Single Sign-on 7.6 For Rhel 7
Vendor: CVE Published:; 3 September 2024

Summary

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.12-1

Red Hat build of Keycloak 22 <= 22-17

Red Hat build of Keycloak 22 <= 22-20

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 6.5 - (MEDIUM)
Sep 9, 2024
Vulnerability published.
Sep 3, 2024
Reported to Red Hat.
Apr 23, 2024

Collectors

NVD DatabaseMitre Database