CVE-2024-4629

MEDIUM

Keycloak - Auth Bypass

Title source: llm

Description

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

References (11)

Core 11

Core References

Various Sources

https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md

View Writeup ZIP pw:eip

Various Sources

https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6493

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6494

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6495

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6497

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6499

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6500

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:6501

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2024-4629

Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2276761

Scores

CVSS v3 6.5

EPSS 0.0044

EPSS Percentile 63.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-837

Status published

Products (23)

org.keycloak/keycloak-services 0 - 22.0.12Maven

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of Keycloak 22 22-17

Red Hat/Red Hat build of Keycloak 22 22-20

Red Hat/Red Hat build of Keycloak 22 22.0.12-1

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat Single Sign-On 7

Red Hat/Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.16-1.redhat_00001.1.el7sso

Red Hat/Red Hat Single Sign-On 7.6 for RHEL 8 0:18.0.16-1.redhat_00001.1.el8sso

Red Hat/Red Hat Single Sign-On 7.6 for RHEL 9 0:18.0.16-1.redhat_00001.1.el9sso

... and 13 more

Published Sep 03, 2024

Tracked Since Feb 18, 2026