Bug 2276761 (CVE-2024-4629)
| Summary: | CVE-2024-4629 keycloak: potential bypass of brute force protection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, chazlett, darran.lofthouse, dkreling, dosoudil, drichtar, istudens, ivassile, iweiss, jkoops, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pdrozd, peholase, pjindal, pmackay, pskopek, rmartinc, rowaters, rstancel, security-response-team, smaestri, sthorger, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Keycloak 24.0.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2276748 | ||
|
Description
Robb Gatica
2024-04-23 21:22:17 UTC
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2024:6499 https://access.redhat.com/errata/RHSA-2024:6499 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2024:6493 https://access.redhat.com/errata/RHSA-2024:6493 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2024:6494 https://access.redhat.com/errata/RHSA-2024:6494 This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:6501 https://access.redhat.com/errata/RHSA-2024:6501 This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:6500 https://access.redhat.com/errata/RHSA-2024:6500 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2024:6495 https://access.redhat.com/errata/RHSA-2024:6495 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:6497 https://access.redhat.com/errata/RHSA-2024:6497 |