github - ghsa-3hrr-xwvg-hxvr

ghsa-3hrr-xwvg-hxvr

Vulnerability from github

Published

2024-02-29 03:33

Modified

2024-06-11 18:15

Severity

3.7 (Low) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

Keycloak DoS via account lockout

Details

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 23.0.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-645"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-29T20:10:52Z",
    "nvd_published_at": "2024-02-29T01:43:54Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.",
  "id": "GHSA-3hrr-xwvg-hxvr",
  "modified": "2024-06-11T18:15:33Z",
  "published": "2024-02-29T03:33:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/29603"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/29603#issuecomment-2127499627"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1722"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak DoS via account lockout"
}

cve-2024-1722

Vulnerability from cvelistv5

Published

2024-02-27 17:39

Modified

2024-09-18 08:36

Severity

3.7 (Low) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

Keycloak-core: dos via account lockout

References

URL	Tags
https://access.redhat.com/security/cve/CVE-2024-1722	vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2265389	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor	Product
Red Hat	Red Hat Build of Keycloak
Red Hat	Red Hat Single Sign-On 7

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-29T20:52:47.119910Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:22:05.586Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:48:21.816Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-1722"
          },
          {
            "name": "RHBZ#2265389",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak-core",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak-core",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Maor Abutbul (CyberArk) for reporting this issue."
        }
      ],
      "datePublic": "2024-02-21T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-645",
              "description": "Overly Restrictive Account Lockout Mechanism",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-18T08:36:22.656Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-1722"
        },
        {
          "name": "RHBZ#2265389",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-02-12T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-02-21T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak-core: dos via account lockout",
      "workarounds": [
        {
          "lang": "en",
          "value": "Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:\n- Put limits on frequency of account registration, restricting how often an attacker could utilize this attack \n- Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the \"@\" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address.\n\nIf this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):\n- Delete the account\n- Change the username"
        }
      ],
      "x_redhatCweChain": "CWE-645: Overly Restrictive Account Lockout Mechanism"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-1722",
    "datePublished": "2024-02-27T17:39:13.261Z",
    "dateReserved": "2024-02-21T19:39:16.206Z",
    "dateUpdated": "2024-09-18T08:36:22.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.