CVE-2024-4629
MEDIUMKeycloak - Auth Bypass
Title source: llmDescription
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Scores
CVSS v3
6.5
EPSS
0.0109
EPSS Percentile
77.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Classification
CWE
CWE-837
Status
published
Affected Products (13)
redhat/keycloak
< 24.0.3
redhat/build_of_keycloak
< 22.012
redhat/single_sign-on
redhat/single_sign-on
< 7.6.10
redhat/openshift_container_platform
redhat/openshift_container_platform
redhat/openshift_container_platform_for_linuxone
redhat/openshift_container_platform_for_linuxone
redhat/openshift_container_platform_for_power
redhat/openshift_container_platform_for_power
redhat/openshift_container_platform_ibm_z_systems
redhat/openshift_container_platform_ibm_z_systems
org.keycloak/keycloak-services
< 22.0.12Maven
Timeline
Published
Sep 03, 2024
Tracked Since
Feb 18, 2026