Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-1722

Опубликовано: 21 фев. 2024
Источник: redhat
CVSS3: 3.7
EPSS Низкий

Описание

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

Отчет

While this attack enables locking out an individual from their account, the entire system will remain in operation. The follow conditions are required for successful exploitation:

  • The realm is configured to use "User (Self) registration"
  • The user registers with a username in email format
  • The attacker discovers a valid email address for an account Due to these conditions, the security impact has been rated Low.

Меры по смягчению последствий

Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:

  • Put limits on frequency of account registration, restricting how often an attacker could utilize this attack
  • Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the "@" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address. If this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):
  • Delete the account
  • Change the username

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Build of Keycloakkeycloak-coreAffected
Red Hat Single Sign-On 7rh-sso7-keycloakFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-645
https://bugzilla.redhat.com/show_bug.cgi?id=2265389keycloak-core: DoS via account lockout

EPSS

Процентиль: 61%
0.00407
Низкий

3.7 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-1722

CVSS3: 3.7
nvd
почти 2 года назад

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

debian логотип

CVE-2024-1722

CVSS3: 3.7
debian
почти 2 года назад

A flaw was found in Keycloak. In certain conditions, this issue may al ...

github логотип

GHSA-cq42-vhv7-xr7p

CVSS3: 3.7
github
больше 1 года назад

Keycloak Denial of Service via account lockout

fstec логотип

BDU:2024-01582

CVSS3: 3.7
fstec
почти 2 года назад

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с чрезмерно ограничительным механизмом блокировки учётных данных пользователя, позволяющая нарушителю заблокировать доступ пользователя к его учетной записи

EPSS

Процентиль: 61%
0.00407
Низкий

3.7 Low

CVSS3