CVE-2024-4629

Sept. 16, 2024, 3:51 p.m.

6.5
Medium

Description

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Product(s) Impacted

Vendor Product Versions
Redhat
  • Keycloak
  • Build Of Keycloak
  • Single Sign-on
  • Enterprise Linux
  • Openshift Container Platform
  • Openshift Container Platform For Linuxone
  • Openshift Container Platform For Power
  • Openshift Container Platform Ibm Z Systems
  • *
  • *
  • -, *
  • 7.0, 8.0, 9.0
  • 4.11, 4.12
  • 4.9, 4.10
  • 4.9, 4.10
  • 4.9, 4.10

Weaknesses

CWE-837
Improper Enforcement of a Single, Unique Action
The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a redhat keycloak / / / / / / / /
a redhat build_of_keycloak / / / / / / / /
a redhat single_sign-on - / / / text-only / / /
a redhat single_sign-on / / / / / / / /
o redhat enterprise_linux 7.0 / / / / / / /
o redhat enterprise_linux 8.0 / / / / / / /
o redhat enterprise_linux 9.0 / / / / / / /
a redhat openshift_container_platform 4.11 / / / / / / /
a redhat openshift_container_platform 4.12 / / / / / / /
a redhat openshift_container_platform_for_linuxone 4.9 / / / / / / /
a redhat openshift_container_platform_for_linuxone 4.10 / / / / / / /
a redhat openshift_container_platform_for_power 4.9 / / / / / / /
a redhat openshift_container_platform_for_power 4.10 / / / / / / /
a redhat openshift_container_platform_ibm_z_systems 4.9 / / / / / / /
a redhat openshift_container_platform_ibm_z_systems 4.10 / / / / / / /
o redhat enterprise_linux 8.0 / / / / / / /

References

https://access.redhat.com/errata/RHSA-2024:6493
https://access.redhat.com/errata/RHSA-2024:6494
https://access.redhat.com/errata/RHSA-2024:6495
https://access.redhat.com/errata/RHSA-2024:6497
https://access.redhat.com/errata/RHSA-2024:6499
https://access.redhat.com/errata/RHSA-2024:6500
https://access.redhat.com/errata/RHSA-2024:6501
https://access.redhat.com/security/cve/CVE-2024-4629
https://bugzilla.redhat.com/show_bug.cgi?id=2276761

Tags

secalert@redhat.com
2024-09-03
CVE-2024-4629
CWE-837

CVSS Score

6.5 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Date

  • Published: Sept. 3, 2024, 8:15 p.m.
  • Last Modified: Sept. 16, 2024, 3:51 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secalert@redhat.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.