Bug 2301876 (CVE-2024-7318) - CVE-2024-7318 keycloak-core: One Time Passcode (OTP) is valid longer than expiration timeSeverity
Summary: CVE-2024-7318 keycloak-core: One Time Passcode (OTP) is valid longer than exp...
Keywords:
Status: CLOSED COMPLETED
Alias: CVE-2024-7318
Deadline: 2024-09-09
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-31 03:08 UTC by Patrick Del Bello
Modified: 2025-05-02 20:50 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-10-31 13:24:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6502 0 None None None 2024-09-09 16:05:30 UTC
Red Hat Product Errata RHSA-2024:6503 0 None None None 2024-09-09 16:05:52 UTC

Description Patrick Del Bello 2024-07-31 03:08:38 UTC 
Expired OTP codes are still usable when using FreeOTP when OTP token period is set to 30 seconds (default). It was found that instead of
expiring and being unusable around 30 seconds in, the tokens actually are valid for an additional 30 seconds, to total 1 minute. In this case, this occurs with default OTP Policy settings of:
OTP Type: Time-based
OTP Hash Algorithm: SHA1
Number of digits: 6
Look around window: 1
OTP Token period: 30 seconds
Reusable Token: off
Comment 1 Bruno Oliveira 2024-07-31 14:52:14 UTC 
Please add the steps to reproduce.
Comment 2 errata-xmlrpc 2024-09-09 16:05:29 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:6502 https://access.redhat.com/errata/RHSA-2024:6502
Comment 3 errata-xmlrpc 2024-09-09 16:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6503 https://access.redhat.com/errata/RHSA-2024:6503
Comment 5 Red Hat Bugzilla 2025-03-01 04:25:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.