Bug 2265389 (CVE-2024-1722)

Summary: CVE-2024-1722 keycloak-core: DoS via account lockout
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: boliveir, chazlett, dpalmer, drichtar, mulliken, pdrozd, peholase, pjindal, pskopek, rowaters, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266338    
Bug Blocks: 2265392    

Description Nick Tait 2024-02-21 20:13:05 UTC 
## Technical Details

Product: keycloak

Product Version: 23.0.5 (Latest release)


Platform: Linux (podman - in prod config)

### Summary:

In any realm set with "User (Self) registration" a user that is
registered with a username in email format can be "locked out"
(denied from logging in) using his username.

### Impact:

A successful exploit of the issue will prevent the specific user
from logging in to his account using his username.

### Steps to reproduce: (see the attached demo)

1. Assuming a realm is configured for "User registration"

1.1 Note: The "Verify email" and "Forgot password" settings can be
activated.

2. Set up a client in the relevant Realm.

3. Register a user to the realm (using a username in an email
format, the username and email should different)

3.1 Note: This scenario can also happen if a user changes his
email at some point in time.

3.2 We will refer to this user as the victim.

3.3 Verify the user email (using the received email)

4. Login using the username and password.

4.1 Note: so far, all good.

5. Register a new user - set the attacker email address as the
previous username (victim) (can use any username).

5.1 Assumption 2: The attacker obtained the victim's username.

5.2         Note: the attacker does not need access to the email,
even when the "Verify email" option is set.

6. At this point the victim cannot access his account using his
username.

6.1 Note: in the case where the "Forgot password" flow is set, the
user can "log in" using that flow (once)

6.2 The victim cannot log in using his username (even after a
password reset).

6.3 The victim can log in using his (registered) email.
Comment 3 Nick Tait 2024-02-27 16:26:11 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2266338]