CVE-2024-4629: Keycloak: potential bypass of brute force protection
First published: Tue Apr 23 2024(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references. ## Original Description A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Keycloak | <24.0.3 | 24.0.3 |
| maven/org.keycloak:keycloak-services | <=24.0.3 | 24.0.4 |
| maven/org.keycloak:keycloak-services | >=25.0.0<25.0.4 | 25.0.4 |
| maven/org.keycloak:keycloak-services | >=23.0.0<24.0.7 | 24.0.7 |
| maven/org.keycloak:keycloak-services | <22.0.12 | 22.0.12 |
| Redhat Keycloak | <24.0.3 | |
| Redhat Build Of Keycloak | >=22.0<22.012 | |
| Red Hat Single Sign-On | ||
| All of | ||
| Red Hat Single Sign-On | >=7.6<7.6.10 | |
| Any of | ||
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| All of | ||
| Any of | ||
| Red Hat OpenShift Container Platform | =4.11 | |
| Red Hat OpenShift Container Platform | =4.12 | |
| Redhat Openshift Container Platform For Linuxone | =4.9 | |
| Redhat Openshift Container Platform For Linuxone | =4.10 | |
| Red Hat OpenShift Container Platform | =4.9 | |
| Red Hat OpenShift Container Platform | =4.10 | |
| Red Hat OpenShift Container Platform | =4.9 | |
| Red Hat OpenShift Container Platform | =4.10 | |
| Red Hat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:6499
- https://access.redhat.com/errata/RHSA-2024:6493
- https://access.redhat.com/errata/RHSA-2024:6494
- https://access.redhat.com/errata/RHSA-2024:6501
- https://access.redhat.com/errata/RHSA-2024:6500
- https://access.redhat.com/errata/RHSA-2024:6495
- https://access.redhat.com/errata/RHSA-2024:6497
- https://bugzilla.redhat.com/show_bug.cgi?id=2276761
- https://access.redhat.com/security/cve/CVE-2024-4629
- https://nvd.nist.gov/vuln/detail/CVE-2024-4629
- https://github.com/advisories/GHSA-8wm9-24qg-m5qj (Advisory)
- https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
- https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab
- https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88
- https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562
- https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1
- https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200
- https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416
- https://github.com/advisories/GHSA-gc7q-jgjv-vjr2 (Advisory)
- agent/title
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-4629
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8wm9-24qg-m5qj
- alias/GHSA-gc7q-jgjv-vjr2
- agent/references
- agent/weakness
- agent/description
- agent/event
- collector/github-advisory
- agent/trending
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- agent/source
- package-manager/redhat
- package-manager/maven
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat build of keycloak
- version/redhat build of keycloak/22.0
- canonical/red hat single sign-on
- version/red hat single sign-on/7.6
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0
- canonical/red hat openshift container platform
- version/red hat openshift container platform/4.11
- version/red hat openshift container platform/4.12
- canonical/redhat openshift container platform for linuxone
- version/redhat openshift container platform for linuxone/4.9
- version/redhat openshift container platform for linuxone/4.10
- version/red hat openshift container platform/4.9
- version/red hat openshift container platform/4.10