CVE-2024-4629: Keycloak: potential bypass of brute force protection
First published: Tue Apr 23 2024(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references. ## Original Description A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Keycloak | <24.0.3 | 24.0.3 |
| maven/org.keycloak:keycloak-services | <=24.0.3 | 24.0.4 |
| maven/org.keycloak:keycloak-services | >=25.0.0<25.0.4 | 25.0.4 |
| maven/org.keycloak:keycloak-services | >=23.0.0<24.0.7 | 24.0.7 |
| maven/org.keycloak:keycloak-services | <22.0.12 | 22.0.12 |
| Red Hat Keycloak | <24.0.3 | |
| Red Hat Keycloak | >=22.0<22.012 | |
| Red Hat Single Sign-On | ||
| All of | ||
| Red Hat Single Sign-On | >=7.6<7.6.10 | |
| Any of | ||
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| All of | ||
| Any of | ||
| Red Hat OpenShift Container Platform | =4.11 | |
| Red Hat OpenShift Container Platform | =4.12 | |
| Red Hat OpenShift Container Platform | =4.9 | |
| Red Hat OpenShift Container Platform | =4.10 | |
| Red Hat OpenShift Container Platform for Power | =4.9 | |
| Red Hat OpenShift Container Platform for Power | =4.10 | |
| Red Hat OpenShift Container Platform | =4.9 | |
| Red Hat OpenShift Container Platform | =4.10 | |
| Red Hat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:6499
- https://access.redhat.com/errata/RHSA-2024:6493
- https://access.redhat.com/errata/RHSA-2024:6494
- https://access.redhat.com/errata/RHSA-2024:6501
- https://access.redhat.com/errata/RHSA-2024:6500
- https://access.redhat.com/errata/RHSA-2024:6495
- https://access.redhat.com/errata/RHSA-2024:6497
- https://bugzilla.redhat.com/show_bug.cgi?id=2276761
- https://access.redhat.com/security/cve/CVE-2024-4629
- https://nvd.nist.gov/vuln/detail/CVE-2024-4629
- https://github.com/advisories/GHSA-8wm9-24qg-m5qj (Advisory)
- https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
- https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab
- https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88
- https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562
- https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1
- https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200
- https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416
- https://github.com/advisories/GHSA-gc7q-jgjv-vjr2 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-4629?
CVE-2024-4629 has been classified as of moderate severity due to the potential for attackers to bypass brute force protection mechanisms.
How do I fix CVE-2024-4629?
To fix CVE-2024-4629, it is recommended to upgrade Keycloak to version 24.0.4 or later.
Which versions of Keycloak are affected by CVE-2024-4629?
Keycloak versions up to and including 24.0.3 are affected by CVE-2024-4629.
Is CVE-2024-4629 a public vulnerability?
Yes, CVE-2024-4629 has been publicly disclosed as it relates to a flaw in Keycloak.
What types of attacks does CVE-2024-4629 enable?
CVE-2024-4629 enables attackers to potentially bypass established brute force protections, making systems more vulnerable to unauthorized access.
- agent/title
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-4629
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8wm9-24qg-m5qj
- alias/GHSA-gc7q-jgjv-vjr2
- agent/references
- agent/weakness
- agent/description
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/redhat
- package-manager/maven
- vendor/redhat
- canonical/red hat keycloak
- version/red hat keycloak/22.0
- canonical/red hat single sign-on
- version/red hat single sign-on/7.6
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0
- canonical/red hat openshift container platform
- version/red hat openshift container platform/4.11
- version/red hat openshift container platform/4.12
- version/red hat openshift container platform/4.9
- version/red hat openshift container platform/4.10
- canonical/red hat openshift container platform for power
- version/red hat openshift container platform for power/4.9
- version/red hat openshift container platform for power/4.10