Описание
Keycloak Services has a potential bypass of brute force protection
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
Ссылки
- https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
- https://nvd.nist.gov/vuln/detail/CVE-2024-4629
- https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab
- https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88
- https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562
- https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1
- https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200
- https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416
- https://bugzilla.redhat.com/show_bug.cgi?id=2276761
- https://access.redhat.com/security/cve/CVE-2024-4629
- https://access.redhat.com/errata/RHSA-2024:6501
- https://access.redhat.com/errata/RHSA-2024:6500
- https://access.redhat.com/errata/RHSA-2024:6499
- https://access.redhat.com/errata/RHSA-2024:6497
- https://access.redhat.com/errata/RHSA-2024:6495
- https://access.redhat.com/errata/RHSA-2024:6494
- https://access.redhat.com/errata/RHSA-2024:6493
Пакеты
org.keycloak:keycloak-services
< 22.0.12
22.0.12
org.keycloak:keycloak-services
>= 23.0.0, < 24.0.7
24.0.7
org.keycloak:keycloak-services
>= 25.0.0, < 25.0.4
25.0.4
EPSS
6.9 Medium
CVSS4
6.5 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
A vulnerability was found in Keycloak. This flaw allows attackers to b ...
EPSS
6.9 Medium
CVSS4
6.5 Medium
CVSS3