CVE-2024-1722
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
4.15.0 | affected |
Weaknesses
- CWE-645: Overly Restrictive Account Lockout Mechanism
Workarounds
Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:
- Put limits on frequency of account registration, restricting how often an attacker could utilize this attack
- Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the "@" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address.
If this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):
- Delete the account
- Change the username
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://access.redhat.com/security/cve/CVE-2024-1722
- https://bugzilla.redhat.com/show_bug.cgi?id=2265389
References
- https://access.redhat.com/security/cve/CVE-2024-1722
- https://bugzilla.redhat.com/show_bug.cgi?id=2265389
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.