Lucene search
RedhatCVE-2024-4629HistorySep 03, 2024 - 8:15 p.m.
CVE-2024-4629
2024-09-0320:15:09
CWE-837
redhat
web.nvd.nist.gov
48
keycloak
vulnerability
brute force
login timing
compromised accounts
timing loophole
security
CVSS3
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
7.2
Confidence
Low
EPSS
0.001
Percentile
36.9%
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Affected configurations
Node
redhatkeycloakRange<24.0.3
Node
redhatbuild_of_keycloakRange22.0–22.012
Node
redhatsingle_sign-onMatch-text-only
Node
redhatsingle_sign-onRange7.6–7.6.10
redhatenterprise_linuxMatch7.0
ORredhatenterprise_linuxMatch8.0
ORredhatenterprise_linuxMatch9.0
Node
redhatopenshift_container_platformMatch4.11
ORredhatopenshift_container_platformMatch4.12
ORredhatopenshift_container_platform_for_linuxoneMatch4.9
ORredhatopenshift_container_platform_for_linuxoneMatch4.10
ORredhatopenshift_container_platform_for_powerMatch4.9
ORredhatopenshift_container_platform_for_powerMatch4.10
ORredhatopenshift_container_platform_ibm_z_systemsMatch4.9
ORredhatopenshift_container_platform_ibm_z_systemsMatch4.10
redhatenterprise_linuxMatch8.0
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | keycloak | * | cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* |
| redhat | build_of_keycloak | * | cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:* |
| redhat | single_sign-on | - | cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:* |
| redhat | single_sign-on | * | cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 7.0 | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 9.0 | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 4.11 | cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 4.12 | cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:* |
| redhat | openshift_container_platform_for_linuxone | 4.9 | cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "org.keycloak-keycloak-parent",
"cpes": [
"cpe:/a:redhat:build_keycloak:22"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "22.0.12-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-rhel9",
"defaultStatus": "affected",
"versions": [
{
"version": "22-17",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Keycloak 22",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhbk/keycloak-rhel9-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "22-20",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:build_keycloak:22::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "org.keycloak-keycloak-parent",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "affected",
"versions": [
{
"version": "0:18.0.16-1.redhat_00001.1.el7sso",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "affected",
"versions": [
{
"version": "0:18.0.16-1.redhat_00001.1.el8sso",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7.6 for RHEL 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rh-sso7-keycloak",
"defaultStatus": "affected",
"versions": [
{
"version": "0:18.0.16-1.redhat_00001.1.el9sso",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rh-sso-7/sso76-openshift-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "7.6-52",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "org.keycloak-keycloak-parent",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
]
}
]References
access.redhat.com/errata/RHSA-2024:6493
access.redhat.com/errata/RHSA-2024:6494
access.redhat.com/errata/RHSA-2024:6495
access.redhat.com/errata/RHSA-2024:6497
access.redhat.com/errata/RHSA-2024:6499
access.redhat.com/errata/RHSA-2024:6500
access.redhat.com/errata/RHSA-2024:6501
access.redhat.com/security/cve/CVE-2024-4629
bugzilla.redhat.com/show_bug.cgi?id=2276761
Related
nvd
nvd
CVE-2024-4629
2024-09-03 20:15:09
cvelist
cvelist
CVE-2024-4629 Keycloak: potential bypass of brute force protection
2024-09-03 19:42:01
vulnrichment
vulnrichment
CVE-2024-4629 Keycloak: potential bypass of brute force protection
2024-09-03 19:42:01
osv
osv
Keycloak has a brute force login protection bypass
2024-09-03 21:31:12
Keycloak Services has a potential bypass of brute force protection
2024-09-17 22:29:01
CVE-2024-4629
2024-09-03 20:15:09
redhatcve
redhatcve
CVE-2024-4629
2024-09-03 19:41:46
github
github
Keycloak Services has a potential bypass of brute force protection
2024-09-17 22:29:01
redhat
redhat
(RHSA-2024:6500) Moderate: Red Hat build of Keycloak 22.0.12 Images Update
2024-09-09 15:41:41
(RHSA-2024:6495) Moderate: Red Hat Single Sign-On 7.6.10 security update on RHEL 9
2024-09-09 15:27:35
(RHSA-2024:6499) Moderate: Red Hat Single Sign-On 7.6.10 security update
2024-09-09 15:37:10
nessus
nessus
CVSS3
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
7.2
Confidence
Low
EPSS
0.001
Percentile
36.9%
Related for CVE-2024-4629