6.5

CVE-2024-4629

Keycloak: potential bypass of brute force protection

Potential bypass of brute force protection

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version < 24.0.3
RedhatBuild Of Keycloak Version >= 22.0 < 22.012
RedhatSingle Sign-on Version- SwEditiontext-only
RedhatSingle Sign-on Version >= 7.6 < 7.6.10
   RedhatEnterprise Linux Version7.0
   RedhatEnterprise Linux Version8.0
   RedhatEnterprise Linux Version9.0
RedhatOpenshift Container Platform Version4.11
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.12
   RedhatEnterprise Linux Version8.0
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version < 22.0.12
Version >= 24.0.0, < 24.0.7
Version >= 25.0.0, < 25.0.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.79% 0.515
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
secalert@redhat.com 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-837 Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

https://access.redhat.com/errata/RHSA-2024:6493
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6494
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6495
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6497
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6499
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6500
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6501
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2024-4629
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2276761
Vendor Advisory
Issue Tracking
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/
https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
Third Party Advisory