Home > Vulnerability Database > CVE-2024-4629

Mend.io Vulnerability Database

CVE-2024-4629

Good to know:

Date: September 3, 2024

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Language: Java

Severity Score

6.5

Related Resources (21)

Url: https://access.redhat.com/errata/RHSA-2024:6495

Url: https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab

Url: https://access.redhat.com/errata/RHSA-2024:6494

Url: https://access.redhat.com/errata/RHSA-2024:6493

Url: https://access.redhat.com/errata/RHSA-2024:6500

Url: https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200

Url: https://access.redhat.com/errata/RHSA-2024:6499

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2276761

Url: https://access.redhat.com/errata/RHSA-2024:6497

Url: https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/

Url: https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88

Url: https://access.redhat.com/security/cve/CVE-2024-4629

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4629

Url: https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416

Url: https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1

Url: https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2

Url: https://access.redhat.com/errata/RHSA-2024:6501

Url: https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md

Url: https://github.com/keycloak/keycloak

Url: https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562

Url: https://www.mend.io/vulnerability-database/CVE-2024-4629

Severity Score

6.5

Weakness Type (CWE)

Improper Restriction of Excessive Authentication Attempts

CWE-307

Improper Enforcement of a Single, Unique Action

CWE-837

Top Fix

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:25.0.4

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4629

Good to know:

Date: September 3, 2024

Language: Java

Severity Score

Related Resources (21)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?