6.5

CVE-2024-4629

Keycloak: potential bypass of brute force protection

Potential bypass of brute force protection

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version < 24.0.3
RedhatBuild Of Keycloak Version >= 22.0 < 22.012
RedhatSingle Sign-on Version- SwEditiontext-only
RedhatSingle Sign-on Version >= 7.6 < 7.6.10
   RedhatEnterprise Linux Version7.0
   RedhatEnterprise Linux Version8.0
   RedhatEnterprise Linux Version9.0
RedhatOpenshift Container Platform Version4.11
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.12
   RedhatEnterprise Linux Version8.0
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version < 22.0.12
Version >= 24.0.0, < 24.0.7
Version >= 25.0.0, < 25.0.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.44% 0.634
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
secalert@redhat.com 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-837 Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.