First published: Wed Jul 31 2024(Updated: )
# Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references. # Original Description A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.keycloak:keycloak-core | >=25.0.0<25.0.4 | 25.0.4 |
maven/org.keycloak:keycloak-core | <24.0.7 | 24.0.7 |
Red Hat Build of Keycloak | >=22.0<24.0.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-7318 has a moderate severity rating due to the ability of expired OTP codes to still be usable.
To fix CVE-2024-7318, update Keycloak to version 25.0.4 or 24.0.7.
CVE-2024-7318 affects Keycloak versions between 22.0 and 24.0.7, excluding 25.0.4.
Yes, CVE-2024-7318 is a duplicate of GHSA-xmmm-jw76-q7vg.
CVE-2024-7318 impacts expired OTP codes used with FreeOTP in Keycloak.