CVE-2024-4629

Summary

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Affected Software

VendorProductVersion RangeStatus
24.0.3affected
Red HatRed Hat build of Keycloak 2222.0.12-1 < *unaffected
Red HatRed Hat build of Keycloak 2222-17 < *unaffected
Red HatRed Hat build of Keycloak 2222-20 < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.16-1.redhat_00001.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.16-1.redhat_00001.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.16-1.redhat_00001.1.el9sso < *unaffected
Red HatRHEL-8 based Middleware Containers7.6-52 < *unaffected

Weaknesses

  • CWE-837: Improper Enforcement of a Single, Unique Action

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References