CVE-2024-4629: Keycloak: potential bypass of brute force protection
First published: Tue Apr 23 2024(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references. ## Original Description A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Keycloak | <24.0.3 | 24.0.3 |
| maven/org.keycloak:keycloak-services | <=24.0.3 | 24.0.4 |
| Redhat Keycloak | <24.0.3 | |
| Redhat Build Of Keycloak | >=22.0<22.012 | |
| Redhat Single Sign-on | ||
| All of | ||
| Redhat Single Sign-on | >=7.6<7.6.10 | |
| Any of | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| All of | ||
| Any of | ||
| Redhat Openshift Container Platform | =4.11 | |
| Redhat Openshift Container Platform | =4.12 | |
| Redhat Openshift Container Platform For Linuxone | =4.9 | |
| Redhat Openshift Container Platform For Linuxone | =4.10 | |
| Redhat Openshift Container Platform For Power | =4.9 | |
| Redhat Openshift Container Platform For Power | =4.10 | |
| Redhat Openshift Container Platform Ibm Z Systems | =4.9 | |
| Redhat Openshift Container Platform Ibm Z Systems | =4.10 | |
| Redhat Enterprise Linux | =8.0 | |
| maven/org.keycloak:keycloak-services | >=25.0.0<25.0.4 | 25.0.4 |
| maven/org.keycloak:keycloak-services | >=23.0.0<24.0.7 | 24.0.7 |
| maven/org.keycloak:keycloak-services | <22.0.12 | 22.0.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:6499
- https://access.redhat.com/errata/RHSA-2024:6493
- https://access.redhat.com/errata/RHSA-2024:6494
- https://access.redhat.com/errata/RHSA-2024:6501
- https://access.redhat.com/errata/RHSA-2024:6500
- https://access.redhat.com/errata/RHSA-2024:6495
- https://access.redhat.com/errata/RHSA-2024:6497
- https://bugzilla.redhat.com/show_bug.cgi?id=2276761
- https://access.redhat.com/security/cve/CVE-2024-4629
- https://nvd.nist.gov/vuln/detail/CVE-2024-4629
- https://github.com/advisories/GHSA-8wm9-24qg-m5qj (Advisory)
- https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
- https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab
- https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88
- https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562
- https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1
- https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200
- https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416
- https://github.com/advisories/GHSA-gc7q-jgjv-vjr2 (Advisory)
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/event
- agent/author
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-4629
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- source/GitHub
- alias/GHSA-8wm9-24qg-m5qj
- collector/nvd-api
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/github-advisory-latest
- alias/GHSA-gc7q-jgjv-vjr2
- package-manager/redhat
- package-manager/maven
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat build of keycloak
- version/redhat build of keycloak/22.0
- canonical/redhat single sign-on
- version/redhat single sign-on/7.6
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.11
- version/redhat openshift container platform/4.12
- canonical/redhat openshift container platform for linuxone
- version/redhat openshift container platform for linuxone/4.9
- version/redhat openshift container platform for linuxone/4.10
- canonical/redhat openshift container platform for power
- version/redhat openshift container platform for power/4.9
- version/redhat openshift container platform for power/4.10
- canonical/redhat openshift container platform ibm z systems
- version/redhat openshift container platform ibm z systems/4.9
- version/redhat openshift container platform ibm z systems/4.10