GoogleOSV:GHSA-GC7Q-JGJV-VJR2Keycloak Services has a potential bypass of brute force protection
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
Acknowledgements:
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
References
access.redhat.com/errata/RHSA-2024:6493
access.redhat.com/errata/RHSA-2024:6494
access.redhat.com/errata/RHSA-2024:6495
access.redhat.com/errata/RHSA-2024:6497
access.redhat.com/errata/RHSA-2024:6499
access.redhat.com/errata/RHSA-2024:6500
access.redhat.com/errata/RHSA-2024:6501
access.redhat.com/security/cve/CVE-2024-4629
bugzilla.redhat.com/show_bug.cgi?id=2276761
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416
github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200
github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1
github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562
github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88
github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab
github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
nvd.nist.gov/vuln/detail/CVE-2024-4629
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High