A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
History

Fri, 20 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*
Vendors & Products Redhat build Of Keycloak

Wed, 18 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:24

Mon, 09 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

threat_severity

Low


Mon, 09 Sep 2024 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
Title Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-324
CPEs cpe:/a:redhat:build_keycloak:22
cpe:/a:redhat:build_keycloak:24::el9
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-09-09T18:50:36.583Z

Updated: 2024-11-24T18:42:36.480Z

Reserved: 2024-07-31T03:04:15.355Z

Link: CVE-2024-7318

cve-icon Vulnrichment

Updated: 2024-09-09T19:08:28.083Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-09T19:15:14.237

Modified: 2024-10-07T20:15:17.153

Link: CVE-2024-7318

cve-icon Redhat

Severity : Low

Publid Date: 2024-09-09T13:55:00Z

Links: CVE-2024-7318 - Bugzilla