CVE-2024-4629

CWE-837CWE-3075 documents5 sources
Severity
6.5MEDIUM
EPSS
1.1%
top 22.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Redhat Build OF KeycloakRedhat KeycloakRedhat Single Sign-on+4 more
Timeline
PublishedSep 3
Latest updateSep 17

Description

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

NVDredhat/keycloak< 24.0.3
NVDredhat/build_of_keycloak22.022.012
Mavenorg.keycloak:keycloak-services23.0.024.0.7+2
NVDredhat/single_sign-on7.67.6.10

Also affects: Openshift Container Platform 4.11, 4.12, 4.10, 4.9

🔴Vulnerability Details

3
OSV
Keycloak Services has a potential bypass of brute force protection2024-09-17
GHSA
Keycloak Services has a potential bypass of brute force protection2024-09-17
CVEList
Keycloak: potential bypass of brute force protection2024-09-03

📋Vendor Advisories

1
Red Hat
keycloak: potential bypass of brute force protection2024-09-03