Описание
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Отчет
This vulnerability is classified as low severity due to its potential impact on account security in Keycloak environments. By exploiting the timing between login attempts and the application of brute force protection, attackers can circumvent lockout mechanisms intended to prevent multiple failed authentication attempts. This allows attackers to increase the number of guesses they can make within the authentication system, potentially leading to unauthorized access to user accounts. Red Hat has evaluated this vulnerability and it only affects the Red Hat Single Sign-On (RHSSO) and Red Hat Build of Keycloak (RHBK).
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 8 | org.keycloak-keycloak-parent | Not affected | ||
| Red Hat Build of Keycloak | org.keycloak-keycloak-parent | Fixed | RHSA-2024:6501 | 09.09.2024 |
| Red Hat build of Keycloak 22 | rhbk/keycloak-operator-bundle | Fixed | RHSA-2024:6500 | 09.09.2024 |
| Red Hat build of Keycloak 22 | rhbk/keycloak-rhel9 | Fixed | RHSA-2024:6500 | 09.09.2024 |
| Red Hat build of Keycloak 22 | rhbk/keycloak-rhel9-operator | Fixed | RHSA-2024:6500 | 09.09.2024 |
| Red Hat Single Sign-On 7 | org.keycloak-keycloak-parent | Fixed | RHSA-2024:6499 | 09.09.2024 |
| Red Hat Single Sign-On 7.6 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2024:6493 | 09.09.2024 |
| Red Hat Single Sign-On 7.6 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2024:6494 | 09.09.2024 |
| Red Hat Single Sign-On 7.6 for RHEL 9 | rh-sso7-keycloak | Fixed | RHSA-2024:6495 | 09.09.2024 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso76-openshift-rhel8 | Fixed | RHSA-2024:6497 | 09.09.2024 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
A vulnerability was found in Keycloak. This flaw allows attackers to b ...
Keycloak Services has a potential bypass of brute force protection
6.5 Medium
CVSS3