CVE-2024-7318
MEDIUMRed Hat build of Keycloak 22.0-24.0.6 - Use of Expired OTP Codes via FreeOTP Token Period
Title source: llmDescription
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
References (4)
Core 4
Core References
Issue Tracking vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6502
Issue Tracking vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6503
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-7318
Issue Tracking, Vendor Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2301876
Scores
CVSS v3
4.8
EPSS
0.0122
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-324
Status
published
Products (2)
org.keycloak/keycloak-core
0 - 24.0.7Maven
redhat/build_of_keycloak
22.0 - 24.0.7
Published
Sep 09, 2024
Tracked Since
Feb 18, 2026