[MAVEN:GHSA-8WM9-24QG-M5QJ] Keycloak has a brute force login protection bypass

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Package	Affected Version
pkg:maven/org.keycloak/keycloak-services	<= 24.0.3

Package	Fixed Version
pkg:maven/org.keycloak/keycloak-services	= 24.0.4

ID: MAVEN:GHSA-8WM9-24QG-M5QJ
Severity: moderate
URL: https://github.com/advisories/GHSA-8wm9-24qg-m5qj
Published: 2024-09-03T21:31:12
(12 days ago)
Modified: 2024-09-03T21:57:41
(12 days ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-4629
			https://access.redhat.com/security/cve/CVE-2024-4629
			https://bugzilla.redhat.com/show_bug.cgi?id=2276761
			https://github.com/advisories/GHSA-8wm9-24qg-m5qj

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	<= 24.0.3
Fixed	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	= 24.0.4

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date