CVE-2024-4629

Опубликовано: 03 сент. 2024

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Ссылки

https://access.redhat.com/errata/RHSA-2024:6493
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6494
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6495
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6497
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6499
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6500
Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:6501
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2024-4629
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2276761
Issue Tracking
Vendor Advisory
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Версия до 24.0.3 (исключая)

Конфигурация 2

cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*

Версия от 22.0 (включая) до 22.012 (исключая)

Конфигурация 3

cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*

Версия от 7.6 (включая) до 7.6.10 (исключая)

Одно из

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

Одно из

cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

EPSS

Процентиль: 74%

0.00807

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-837

Связанные уязвимости

CVE-2024-4629

CVSS3: 6.5

redhat

больше 1 года назад

CVE-2024-4629

CVSS3: 6.5

debian

больше 1 года назад

A vulnerability was found in Keycloak. This flaw allows attackers to b ...

GHSA-gc7q-jgjv-vjr2

CVSS3: 6.5

github

больше 1 года назад

Keycloak Services has a potential bypass of brute force protection

EPSS

Процентиль: 74%

0.00807

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-837