CVE-2024-7318 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-7318

CVE-2024-7318

September 09, 2024

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

Affected Packages

org.keycloak:keycloak-core (JAVA):

Affected version(s) >=25.0.0 <25.0.4

Fix Suggestion:

Update to version 25.0.4

Related Resources (7)

https://access.redhat.com/errata/RHSA-2024:6503

https://github.com/keycloak/keycloak/security/advisories/GHSA-xmmm-jw76-q7vg

https://bugzilla.redhat.com/show_bug.cgi?id=2301876

https://access.redhat.com/errata/RHSA-2024:6502

https://github.com/keycloak/keycloak

https://nvd.nist.gov/vuln/detail/CVE-2024-7318

https://access.redhat.com/security/cve/CVE-2024-7318

Do you need more information?

CVSS v4

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Use of a Key Past its Expiration Date

CWE-324

EPSS

Base Score:

1.39

Products

Solutions

Resources

Company

Compare

Developer Tools