CVE-2020-1744
MEDIUMKeycloak < 9.0.1 - Brute Force Protection Bypass via Conditional OTP Authentication Flow
Title source: llmDescription
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.
References (2)
Core 2
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2020-1744
Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744
Scores
CVSS v3
5.6
EPSS
0.0019
EPSS Percentile
40.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-755
Status
published
Products (2)
org.keycloak/keycloak-core
0 - 9.0.1Maven
redhat/keycloak
< 9.0.1
Published
Mar 24, 2020
Tracked Since
Feb 18, 2026