#VU97468 Improper Restriction of Excessive Authentication Attempts in Keycloak - CVE-2024-4629
Vulnerability identifier: #VU97468
Vulnerability risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-307
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Keycloak
Server applications /
Directory software, identity management
Vendor: Keycloak
Description
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to an error when handling unsuccessful login attempts. A remote attacker can initiate multiple login requests simultaneously and bypass the configured limits for failed attempts before the system locks them out.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Keycloak: 19.0.0 - 19.0.3, 20.0.0 - 25.0.3
External links
https://bugzilla.redhat.com/show_bug.cgi?id=2276761
https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
