CVE-2024-4629
Keycloak: potential bypass of brute force protection
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-05-07 CVE Reserved
- 2024-09-03 CVE Published
- 2024-09-17 EPSS Updated
- 2024-12-24 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-837: Improper Enforcement of a Single, Unique Action
CAPEC
References (9)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-4629 | 2024-09-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2276761 | 2024-09-03 | |
| https://access.redhat.com/errata/RHSA-2024:6493 | 2024-12-24 | |
| https://access.redhat.com/errata/RHSA-2024:6494 | 2024-12-24 | |
| https://access.redhat.com/errata/RHSA-2024:6495 | 2024-12-24 | |
| https://access.redhat.com/errata/RHSA-2024:6497 | 2024-12-24 | |
| https://access.redhat.com/errata/RHSA-2024:6499 | 2024-12-24 | |
| https://access.redhat.com/errata/RHSA-2024:6500 | 2024-12-24 | |
| https://access.redhat.com/errata/RHSA-2024:6501 | 2024-12-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Build Keycloak Search vendor "Redhat" for product "Build Keycloak" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Build Of Keycloak Search vendor "Redhat" for product "Build Of Keycloak" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Keycloak Search vendor "Redhat" for product "Keycloak" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform For Power Search vendor "Redhat" for product "Openshift Container Platform For Power" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Ibm Z Systems Search vendor "Redhat" for product "Openshift Container Platform Ibm Z Systems" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Red Hat Single Sign On Search vendor "Redhat" for product "Red Hat Single Sign On" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhosemc Search vendor "Redhat" for product "Rhosemc" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||