CVE-2024-7318Use of a Key Past its Expiration Date in Redhat Build OF Keycloak

CWE-324Use of a Key Past its Expiration Date5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
1.4%
top 19.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Build OF Keycloak
Timeline
PublishedSep 9
Latest updateOct 14

Description

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at a

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages1 packages

NVDredhat/build_of_keycloak22.024.0.7

🔴Vulnerability Details

3
GHSA
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity2024-10-14
OSV
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity2024-10-14
CVEList
Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity2024-09-09

📋Vendor Advisories

1
Red Hat
keycloak-core: One Time Passcode (OTP) is valid longer than expiration timeSeverity2024-09-09
CVE-2024-7318 — Use of a Key Past its Expiration Date | cvebase