A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
History

Fri, 22 Nov 2024 12:00:00 +0000


Mon, 16 Sep 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat enterprise Linux
Redhat keycloak
Redhat openshift Container Platform
Redhat openshift Container Platform For Linuxone
Redhat openshift Container Platform For Power
Redhat openshift Container Platform Ibm Z Systems
Redhat single Sign-on
CPEs cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat build Of Keycloak
Redhat enterprise Linux
Redhat keycloak
Redhat openshift Container Platform
Redhat openshift Container Platform For Linuxone
Redhat openshift Container Platform For Power
Redhat openshift Container Platform Ibm Z Systems
Redhat single Sign-on

Mon, 09 Sep 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhosemc
CPEs cpe:/a:redhat:red_hat_single_sign_on:7 cpe:/a:redhat:build_keycloak:22::el9
cpe:/a:redhat:red_hat_single_sign_on:7.6
cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc
References

Tue, 03 Sep 2024 23:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Tue, 03 Sep 2024 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 03 Sep 2024 20:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Title Keycloak: potential bypass of brute force protection
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat red Hat Single Sign On
Weaknesses CWE-837
CPEs cpe:/a:redhat:build_keycloak:22
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-09-03T19:42:01.318Z

Updated: 2024-11-24T18:42:07.474Z

Reserved: 2024-05-07T20:47:03.184Z

Link: CVE-2024-4629

cve-icon Vulnrichment

Updated: 2024-11-14T16:59:26.284Z

cve-icon NVD

Status : Modified

Published: 2024-09-03T20:15:09.003

Modified: 2024-11-21T09:43:14.917

Link: CVE-2024-4629

cve-icon Redhat

Severity : Low

Publid Date: 2024-09-03T19:38:00Z

Links: CVE-2024-4629 - Bugzilla