4.8
CVE-2024-7318
- EPSS 1.22%
- Veröffentlicht 09.09.2024 19:15:14
- Zuletzt bearbeitet 07.10.2024 20:15:17
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity
One Time Passcode (OTP) is valid longer than expiration timeSeverity
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Keycloak Version >= 22.0 < 24.0.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemKeycloak
≫
Produkt
Keycloak Server
Version
>= 0.0.0, < 24.0.7
Version
>= 25.0.0, < 25.0.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.22% | 0.792 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 2.2 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
|
| secalert@redhat.com | 4.8 | 2.2 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-324 Use of a Key Past its Expiration Date
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.