CVE-2024-1722

Summary

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

Affected Software

VendorProductVersion RangeStatus
4.15.0affected

Weaknesses

  • CWE-645: Overly Restrictive Account Lockout Mechanism

Workarounds

Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:

  • Put limits on frequency of account registration, restricting how often an attacker could utilize this attack
  • Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the "@" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address.

If this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):

  • Delete the account
  • Change the username

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References