Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-4629

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Published

2024-09-03T20:15:09.003

Last Modified

2024-11-21T09:43:14.917

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-837

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	keycloak	< 24.0.3	Yes
Application	redhat	build_of_keycloak	< 22.012	Yes
Application	redhat	single_sign-on	-	Yes
Application	redhat	single_sign-on	< 7.6.10	Yes
Operating System	redhat	enterprise_linux	7.0	No
Operating System	redhat	enterprise_linux	8.0	No
Operating System	redhat	enterprise_linux	9.0	No
Application	redhat	openshift_container_platform	4.11	Yes
Application	redhat	openshift_container_platform	4.12	Yes
Application	redhat	openshift_container_platform_for_linuxone	4.9	Yes
Application	redhat	openshift_container_platform_for_linuxone	4.10	Yes
Application	redhat	openshift_container_platform_for_power	4.9	Yes
Application	redhat	openshift_container_platform_for_power	4.10	Yes
Application	redhat	openshift_container_platform_ibm_z_systems	4.9	Yes
Application	redhat	openshift_container_platform_ibm_z_systems	4.10	Yes
Operating System	redhat	enterprise_linux	8.0	No

References

https://access.redhat.com/errata/RHSA-2024:6493 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:6494 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:6495 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:6497 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:6499 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:6500 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:6501 Vendor Advisory ([email protected])
https://access.redhat.com/security/cve/CVE-2024-4629 Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 Issue Tracking, Vendor Advisory ([email protected])
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md (af854a3a-2127-422b-91ae-364da2661108)
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/ (af854a3a-2127-422b-91ae-364da2661108)