CVE-2018-14657 — Improper Restriction of Excessive Authentication Attempts in RED HAT Keycloak

CWE-307 — Improper Restriction of Excessive Authentication Attempts6 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.4%

top 41.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Keycloak Redhat Keycloak Redhat Single Sign-on

Timeline

PublishedNov 13

Latest updateMay 13

Description

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDredhat/keycloak4.2.1, 4.3.0+1

▶CVEListV5red_hat/keycloak4.2.1.Final, 4.3.0.Final

▶NVDredhat/single_sign-on7.2

🔴Vulnerability Details

GHSA

Keycloak Improper Bruteforce Detection↗2022-05-13

▶

OSV

Keycloak Improper Bruteforce Detection↗2022-05-13

▶

CVEList

CVE-2018-14657: A flaw was found in Keycloak 4↗2018-11-13

▶

📋Vendor Advisories

Red Hat

keycloak: brute force protection not working for the entire login workflow↗2018-11-13

▶

💬Community

Bugzilla

CVE-2018-14657 keycloak: brute force protection not working for the entire login workflow↗2018-09-04

▶