{
  "threat_severity" : "Low",
  "public_date" : "2024-09-03T19:38:00Z",
  "bugzilla" : {
    "description" : "keycloak: potential bypass of brute force protection",
    "id" : "2276761",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2276761"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-837",
  "details" : [ "A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.", "A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems." ],
  "statement" : "This vulnerability is classified as low severity due to its potential impact on account security in Keycloak environments. By exploiting the timing between login attempts and the application of brute force protection, attackers can circumvent lockout mechanisms intended to prevent multiple failed authentication attempts. This allows attackers to increase the number of guesses they can make within the authentication system, potentially leading to unauthorized access to user accounts.\nRed Hat has evaluated this vulnerability and it only affects the Red Hat Single Sign-On (RHSSO) and Red Hat Build of Keycloak (RHBK).",
  "affected_release" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6501",
    "cpe" : "cpe:/a:redhat:build_keycloak:22",
    "package" : "org.keycloak-keycloak-parent"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6500",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-operator-bundle:22.0.12-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6500",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-rhel9:22-17"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6500",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-rhel9-operator:22-20"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6499",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6",
    "package" : "org.keycloak-keycloak-parent"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6493",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7",
    "package" : "rh-sso7-keycloak-0:18.0.16-1.redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6494",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8",
    "package" : "rh-sso7-keycloak-0:18.0.16-1.redhat_00001.1.el8sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6495",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9",
    "package" : "rh-sso7-keycloak-0:18.0.16-1.redhat_00001.1.el9sso"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6497",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-52"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-4629\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4629" ],
  "name" : "CVE-2024-4629",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}