Vulnerability DatabaseCVE-2024-4629
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-4629
September 03, 2024
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Affected Packages
org.keycloak:keycloak-services (JAVA):
Affected version(s) >=25.0.0 <25.0.4
Fix Suggestion:
Update to version 25.0.4
Related Resources (20)
https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200
https://access.redhat.com/errata/RHSA-2024:6501
https://bugzilla.redhat.com/show_bug.cgi?id=2276761
https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab
https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88
https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416
https://github.com/keycloak/keycloak
https://access.redhat.com/errata/RHSA-2024:6495
https://access.redhat.com/security/cve/CVE-2024-4629
https://access.redhat.com/errata/RHSA-2024:6499
https://access.redhat.com/errata/RHSA-2024:6497
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md
https://access.redhat.com/errata/RHSA-2024:6493
https://nvd.nist.gov/vuln/detail/CVE-2024-4629
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/
https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1
https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562
https://access.redhat.com/errata/RHSA-2024:6494
https://access.redhat.com/errata/RHSA-2024:6500
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Restriction of Excessive Authentication Attempts
CWE-307
Improper Enforcement of a Single, Unique Action
CWE-837
EPSS
Base Score:
1.09