CVE-2024-1722Overly Restrictive Account Lockout Mechanism in Redhat Keycloak

CWE-645Overly Restrictive Account Lockout MechanismCWE-640Weak Password Recovery Mechanism for Forgotten PasswordCWE-125Out-of-bounds ReadCWE-476NULL Pointer Dereference7 documents5 sources
Severity
5.3MEDIUMNVD
CNA3.7
EPSS
0.4%
top 38.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Keycloak
Timeline
PublishedFeb 29
Latest updateJan 11

Description

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

NVDredhat/keycloak23.0.5

🔴Vulnerability Details

3
OSV
Keycloak Denial of Service via account lockout2024-06-12
GHSA
Keycloak Denial of Service via account lockout2024-06-12
CVEList
Keycloak-core: dos via account lockout2024-02-27

📋Vendor Advisories

2
Red Hat
kernel: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again2025-01-11
Red Hat
keycloak-core: DoS via account lockout2024-02-21
CVE-2024-1722 — Redhat Keycloak vulnerability | cvebase